[meta-intel] [PATCH RFC 0/4] Super simple secure boot implementation not requiring combo app
Patrick Ohly
patrick.ohly at intel.com
Sun Jul 16 23:26:54 PDT 2017
On Fri, 2017-07-14 at 19:11 -0700, California Sullivan wrote:
> I'm not sure why I never tried just signing the kernel and systemd-boot,
> but it works. If either one is not signed, it causes gives a security
> violation error.
>
> A con of this implementation is that unlike the combo app, we don't
> inherently validate the initrd. In the future we could require that
> an initrd is not used with secure boot unless the combo app is chosen.
A lot of functionality in refkit (and elsewhere) depends on an an
initramfs, like setting up dm-verity, dm-crypt/LUKS and OSTree. I
consider not supporting an initramfs a deal breaker. It might be good
enough for some systems, but I'm not sure about that.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
More information about the meta-intel
mailing list