Re: Producing verifiable initramfs images

[Anthony DeRobertis <anthony@derobert.net>]

An interesting challenge you've taken up, I fear it's going to be a lot 
of work.

On almost all of my older installs, the initramfs is built with 
MODULES=dep, because otherwise /boot runs out of space; the amount of 
space MODULES=most takes is ever-increasing. So the kernel packages 
plopping a default initramfs in /boot would break those systems (but 
that's solvable e.g., by having it be an optional extra binary package)

Even with the default, it's possible to include extra modules — either 
by the admin plopping them in /etc/initramfs-tools/modules or I believe 
through package hooks. (I'm not sure if it also does the work 
MODULES=dep does and adds any extra modules found). But maybe as long as 
the kernel is only loading signed modules, it's OK to put additional 
modules in an extra, non-TPM-measured archive?

/etc/modprobe.d is included in initramfs. That's going to be challenging 
because it can include both configuration and code, and even without the 
code, "arbitrary kernel modules loaded with arbitrary options" seems to 
big a difference to ignore. And you can't not include this, since 
initramfs loads so many modules.

Local udev rules (from /etc/udev/rules.d/) are included as well; they 
wind up in /usr/lib/udev/rules.d on the initramfs. Those are again an 
interesting combination of configuration and code.