Proposed F19 Feature: Dracut HostOnly
Nicolas Mailhot
nicolas.mailhot at laposte.net
Tue Jan 29 16:40:04 UTC 2013
Le Mar 29 janvier 2013 17:09, drago01 a écrit :
> On Tue, Jan 29, 2013 at 4:53 PM, Nicolas Mailhot
> <nicolas.mailhot at laposte.net> wrote:
>>
>> Le Mar 29 janvier 2013 16:42, Matthew Miller a écrit :
>>> On Tue, Jan 29, 2013 at 10:42:29AM -0500, Matthew Miller wrote:
>>>> On Tue, Jan 29, 2013 at 02:45:34PM +0000, Jaroslav Reznik wrote:
>>>> > Only create "host-only" initramfs images. A generic fallback image
>>>> should be
>>>> > installed by anaconda on installation/update and never ever be
>>>> removed.
>>>> Will there be a way to opt out of this? The fallback image will
>>>> consume
>>>> space and not be useful in situations where one doesn't have the
>>>> access
>>>> to
>>>> boot into it. (Eg., EC2.)
>>>
>>> Clarification: opt out of the generic fallback image. Not the rest. :)
>>
>> Also, fallback has interesting security properties…
>
> Not sure what you mean ... care to elaborate?
Current rescue disc allow bypass of pretty much all the security controls
on installed systems. (that's why some entities disable optical drive in
bios and glue usb ports). Will fallback perform the security checks of
the main boot path? When I see 'never ever be removed' does that mean this
will make sure any Fedora box will have a boot entry to an old kernel,
with known security bugs, that you only need to trick boot into to get a
vulnerable system?
--
Nicolas Mailhot
More information about the devel
mailing list