On Fri, Jul 01, 2022 at 08:30:21AM +0200, Gerd Hoffmann wrote:
On Fri, Jul 01, 2022 at 06:39:41AM +1000, David Airlie wrote:
> I do wonder if it's possible to use multiple initrds, and maybe have
> the firmware in a separate initrd shared between all installed kernels
> if we go down this route.
grub supports multiple initrds just fine. According to
https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault grub
supports multiple initrd files also with bls. That seems to be a
derivation from the original boot loader spec though, so not sure this
works with systemd-boot too.
When going for multiple initrds the best approach is probably to simply
split out the kernel modules into a version-specific initrd and store
everything else in another, shared initrd.
That doesn't help much though if we want have a unified kernel image
(aka single efi binary with kernel + initrd) to get the initrd signed
that way.
Hmm.
Are there any existing approaches to sign initrds? grub seems to
support detached gpg signatures. Doesn't look that attractive given
that the whole secure boot process uses x509 instead so using gpg
would require maintaining yet another key ...
take care,
Gerd