On Tue, Jan 21, 2020 at 09:09:16AM +0100, Petr Pisar wrote:
On Tue, Jan 21, 2020 at 12:57:50AM +0000, Matthew Garrett wrote:
> Any thoughts on this?
>
Properly measured system must measure all inputs. If you move the varying
bits from initramfs to another file, a boot loader will have to measure that
another file. At the end that's exactly what GRUB2 does. It measures any
loaded file.
Yes, I wrote that code. The point of measurements is to be able to make
a policy determination. If the contents of a file aren't security
relevant then you don't care about its contents, but you do want to
ensure that it ends up in a position where it can't interfere with any
other security relevant codepath. In that scenario you want to measure
the path, not the contents (or, rather, you can measure both and the
policy agent can ignore the contents)
In my opinon, your proposal does not solve the problem. It actually
makes
things worse because the booted code would become bigger and probably slower.
I'm not clear how that follows.
--
Matthew Garrett | mjg59(a)srcf.ucam.org