On Fri, Jul 01, 2022 at 06:39:41AM +1000, David Airlie wrote:
On Mon, Jun 27, 2022 at 6:33 PM Gerd Hoffmann
<kraxel(a)redhat.com> wrote:
>
> On Sun, Jun 19, 2022 at 08:54:51PM -0000, Sharpened Blade via devel wrote:
> > Use unified kernel images by default for new releases. This can allow
> > for the local installation to sign the kernel and the initrd, so the
> > boot chain can be verified until after the uefi. Currently, the initrd
> > can be modified by attackers, so even if the / partition is encrypted,
> > the systems data can be read on the next boot. If the kernel image,
> > which includes the command line, and the initrd, is signed then it is
> > harder to comprimise the system. The system can still be comprimised
> > if the uefi is modified.
> >
> > If this was used, then the kernel could no longer be signed in the
> > package by the fedora infrastructure.
>
> I'd rather have fedora ship a unified + signed kernel image with a
> generic (aka 'dracut --no-hostonly') initrd instead of generating one
> on the local system.
I think the issue with this is the initrd side blows out a lot, you
include all the firmware for all the modules in the system and then
you have 3 of them in /boot.
I do wonder if it's possible to use multiple initrds, and maybe have
the firmware in a separate initrd shared between all installed kernels
if we go down this route.
grub supports multiple initrds just fine. According to
https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault grub
supports multiple initrd files also with bls. That seems to be a
derivation from the original boot loader spec though, so not sure this
works with systemd-boot too.
When going for multiple initrds the best approach is probably to simply
split out the kernel modules into a version-specific initrd and store
everything else in another, shared initrd.
take care,
Gerd