On Di, 19.07.22 16:15, Gerd Hoffmann (kraxel@redhat.com) wrote:
Moreover, this allows us to implemented TPM policies that bind to signatures of PCR hashes, instead of the literal hash values. That makes the measurements a *million* times more useful, since we loose the brittleness on updates: if the expected PCR values can be pre-calculated by the vendor, and then be signed, then an update won't invalidate the policies anymore.
Another case which requires creating initrds at build time.
Yupp.
Zbigniew and I are working on making pre-built initrds for general purpose distros a reality, i.e. finding a way between keeping things reasonably modular but also pre-generated, immutable, pre-measurable, and thus have a tight trust chain at boot. We'll do two talks about that at Linux Plumbers Conference later this year.
Lennart
-- Lennart Poettering, Berlin