Re: Producing verifiable initramfs images
An interesting challenge you've taken up, I fear it's going to be a lot
On almost all of my older installs, the initramfs is built with
MODULES=dep, because otherwise /boot runs out of space; the amount of
space MODULES=most takes is ever-increasing. So the kernel packages
plopping a default initramfs in /boot would break those systems (but
that's solvable e.g., by having it be an optional extra binary package)
Even with the default, it's possible to include extra modules — either
by the admin plopping them in /etc/initramfs-tools/modules or I believe
through package hooks. (I'm not sure if it also does the work
MODULES=dep does and adds any extra modules found). But maybe as long as
the kernel is only loading signed modules, it's OK to put additional
modules in an extra, non-TPM-measured archive?
/etc/modprobe.d is included in initramfs. That's going to be challenging
because it can include both configuration and code, and even without the
code, "arbitrary kernel modules loaded with arbitrary options" seems to
big a difference to ignore. And you can't not include this, since
initramfs loads so many modules.
Local udev rules (from /etc/udev/rules.d/) are included as well; they
wind up in /usr/lib/udev/rules.d on the initramfs. Those are again an
interesting combination of configuration and code.