On Di, 05.04.22 17:38, Chris Murphy (
lists(a)colorremedies.com)
wrote:
Let me stress one thing though: Fedora *has* *no* working SecureBoot
implementation. The initrd is not authenticated. It has no signatures,
nothing.
By disabling SecureBoot you effectively lose exactly nothing in terms
of security right now.
What good is a trusted boot loader or kernel if it then goes on
loading an initrd that is not authenticated, super easy to modify (I
mean, seriously, any idiot script kiddie can unpack a cpio, add some
shell script and pack it up again, replacing the original one) – and
it's the component that actually reads your FDE LUKS password.
I mean, let's not pretend unsigned drivers were a big issue for
security right now. They are now, we have much much much wider gaping
holes in our stack.
Lennart
--
Lennart Poettering, Berlin
To achieve such feature(SecureBoot signer Unified Images) I've had to make some
hack'ish scripts to run dracut a second time glueing all together and signing it,
after generating the initrd inside /boot:
-
Not proud of it, but it works(and I have cmdline + initrd + kernel + modules all signed as
a bundle).
This could be the spark of a package idea for Unified images
nwildner