[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: live-initramfs 2.x features

* intrigeri <intrigeri@boum.org> wrote:
> Michael Prokop wrote (24 Jan 2010 12:50:50 GMT) :

>> But if you're working in IT forensics and/or have special security
>> requirements this won't be enough. Someone could prepare a device
>> that fullfills the uuid requirements but provides a hacked
>> filesystem which does "something you definitely don't want". ;) So
>> you need additional ways to make sure you're booting the correct
>> filesystem and that's what I'm currently working on.

> Could you please give us some hints about the ideas you are
> experimenting in this field? I guess you at least need a trusted
> kernel / initrd to check the squashfs, else you end up asking a system
> to verify itself, which seems to be a dead-end.

Right - the kernel and the initrd are the only components you can
and actually have to trust. That's why the verification has to
happen in the initrd. More details available at a later stage.

-mika-
-- 
http://michael-prokop.at/  || http://adminzen.org/
http://grml-solutions.com/ || http://grml.org/
Reply to: