[systemd-devel] why systemd-boot (seems as everyone else) does not check the signatures of initramfs?

Felix Rubio felix at kngnt.org
Mon May 29 09:42:39 UTC 2023 

Hi everybody,

Continuing the work/learning path I started last week, I have had a 
development: Still with shim loading systemd-boot, which can read the 
kernel and initramfs from XBOOTLDR partition, I have introduced LUKS to 
encrypt the root partition (XBOOTLDR is not encrypted).

Originally I was planning to move from this to UKI so that I can make 
sure that both kernel and initramfs are checked before booting, but 
today I have considered a different course of action: Should I use the 
TPM to store a key to decrypt the disk like this:

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+7+9

Then, by using PCR9 the initrd would be checked before allowing the boot 
sequence to continue. By doing this, then, I do not have to switch to 
UKI until I have learned more about it.

Do you guys think this reasoning is flawed?

Thank you,

---
Felix Rubio
"Don't believe what you're told. Double check."

On 2023-05-25 10:26, Lennart Poettering wrote:
> On Mi, 24.05.23 19:01, Felix Rubio (felix at kngnt.org) wrote:
> 
>> Hi Lennart,
>> 
>> "Sorry, but GPG is a no-go. Not in 2023."
>> 
>> Yes, I understand that. What I am trying to get is a simple way to 
>> verify
>> that the initramfs has not been tampered with. UKI comes with its own
>> challenges, using encryption tied to a measured boot looks overkill, 
>> and I
>> fully agree in which adding an authentication layer is not
>> desirable.
> 
> I am not sure what "challenges" you specifically have in mind, but a
> UKI with an initrd in a PE envelope (i.e. the "add-on" concept I
> mentioned), then you should be pretty close to current behaviour, no?
> 
>> Then... what alternatives are available for just performing 
>> verification of
>> the initramfs? I was giving a look at IMA now, so this could be sorted 
>> with
>> a policy... but I think this is not supported in sd-boot.
> 
> IMA verifies files after the kernel is up, not before. It's not
> suitable for validating initrds.
> 
> Anway, you should really ask yourself what cryptographic key you want
> to authenticate against. Local or vendor one, and where shall it be
> stored. That dictates your choices more than anything else.
> 
>> In the case I wrap the initramfs on a PE envelope, as you suggested, 
>> when
>> then its signature be validated automatically? when it gets loaded? 
>> Because,
>> if so... this would work enough for this use case.
> 
> In the "add-on" module for UKIs I mentioned the validation of both the
> UKI and the add-ons are done via regular UEFI SecureBoot or via
> shim. Both UKIs and add-ons are just PE files after all that thus can
> be verified that way. Because the files can be authenticated via shim
> you get MOK and so on.
> 
> Lennart
> 
> --
> Lennart Poettering, Berlin

More information about the systemd-devel mailing list