Re: RFC: live-initramfs 2.x features
* intrigeri <firstname.lastname@example.org> wrote:
> Michael Prokop wrote (24 Jan 2010 12:50:50 GMT) :
>> But if you're working in IT forensics and/or have special security
>> requirements this won't be enough. Someone could prepare a device
>> that fullfills the uuid requirements but provides a hacked
>> filesystem which does "something you definitely don't want". ;) So
>> you need additional ways to make sure you're booting the correct
>> filesystem and that's what I'm currently working on.
> Could you please give us some hints about the ideas you are
> experimenting in this field? I guess you at least need a trusted
> kernel / initrd to check the squashfs, else you end up asking a system
> to verify itself, which seems to be a dead-end.
Right - the kernel and the initrd are the only components you can
and actually have to trust. That's why the verification has to
happen in the initrd. More details available at a later stage.
http://michael-prokop.at/ || http://adminzen.org/
http://grml-solutions.com/ || http://grml.org/