Hi,
We have been working on building tools and filling gaps to make that
workable reasonably in systemd upstream, and with a focus on
Fedora. The difficulty is in both being able to prebuild everything
but also keeping things somewhat modular and parameterizable. Because
right now those are the primary reasons initrds are built on the
installed host instead of Fedora: they contain local configuration and
drivers. If we prebuild everything we must have model to
replace these parts, without compromising security, and that's not
rivial.
Is all this this discussed somewhere in public?
systemd-devel list maybe?
For virtual machines we need some way to make sure they actually run
the software we want them run, and it seems the options we have are:
(1) finally plug that initrd hole, or
(2) use encrypted /boot
... where (2) feels more like a workaround for the unsigned initrd
problem and it also opens another can of worms like requiring luks
support in the boot loader.
I guess you already have a list of the "local configuration" bits
which must be tackled? Obvious #1 is finding the root filesystem.
Should be solvable with discoverable partitions. A few days back
I've found a 7 (!) year old bug[1] of yours truly asking to support
that in anaconda, still in NEW state :(
take care,
Gerd
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1075288