[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Producing verifiable initramfs images

An interesting challenge you've taken up, I fear it's going to be a lot of work.

On almost all of my older installs, the initramfs is built with MODULES=dep, because otherwise /boot runs out of space; the amount of space MODULES=most takes is ever-increasing. So the kernel packages plopping a default initramfs in /boot would break those systems (but that's solvable e.g., by having it be an optional extra binary package)

Even with the default, it's possible to include extra modules — either by the admin plopping them in /etc/initramfs-tools/modules or I believe through package hooks. (I'm not sure if it also does the work MODULES=dep does and adds any extra modules found). But maybe as long as the kernel is only loading signed modules, it's OK to put additional modules in an extra, non-TPM-measured archive?

/etc/modprobe.d is included in initramfs. That's going to be challenging because it can include both configuration and code, and even without the code, "arbitrary kernel modules loaded with arbitrary options" seems to big a difference to ignore. And you can't not include this, since initramfs loads so many modules.

Local udev rules (from /etc/udev/rules.d/) are included as well; they wind up in /usr/lib/udev/rules.d on the initramfs. Those are again an interesting combination of configuration and code.

Reply to: