On Mon, Jun 27, 2022 at 6:33 PM Gerd Hoffmann kraxel@redhat.com wrote:
On Sun, Jun 19, 2022 at 08:54:51PM -0000, Sharpened Blade via devel wrote:
Use unified kernel images by default for new releases. This can allow for the local installation to sign the kernel and the initrd, so the boot chain can be verified until after the uefi. Currently, the initrd can be modified by attackers, so even if the / partition is encrypted, the systems data can be read on the next boot. If the kernel image, which includes the command line, and the initrd, is signed then it is harder to comprimise the system. The system can still be comprimised if the uefi is modified.
If this was used, then the kernel could no longer be signed in the package by the fedora infrastructure.
I'd rather have fedora ship a unified + signed kernel image with a generic (aka 'dracut --no-hostonly') initrd instead of generating one on the local system.
I think the issue with this is the initrd side blows out a lot, you include all the firmware for all the modules in the system and then you have 3 of them in /boot.
I do wonder if it's possible to use multiple initrds, and maybe have the firmware in a separate initrd shared between all installed kernels if we go down this route.
Dave.