On 7/4/22 04:13, Lennart Poettering wrote: > On Fr, 01.07.22 08:30, Gerd Hoffmann (kra...@redhat.com) wrote: > >>> I do wonder if it's possible to use multiple initrds, and maybe have >>> the firmware in a separate initrd shared between all installed kernels >>> if we go down this route. >> >> grub supports multiple initrds just fine. According to >> https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault grub >> supports multiple initrd files also with bls. That seems to be a >> derivation from the original boot loader spec though, so not sure this >> works with systemd-boot too. >> >> When going for multiple initrds the best approach is probably to simply >> split out the kernel modules into a version-specific initrd and store >> everything else in another, shared initrd. > > In the approach Zbginiew and I are working on we intend to build a > basic initrd into the kernel itself (i.e. in a unified kernel logic) > and then optionally load additional initrd images that can be > placed next to the kernel image and are picked up by the EFI stub > (i.e. by the EFI code that runs as part of the kernel when it runs in > EFI mode still, before we transition to Linux mode, i.e. where all the > EFI file systems are still accessible), and are passed to kernel, > measured and then very early on overlayed on top of the basic initrd > image (i.e. in an immutable overlayfs stack). > > In such an approach the basic initrd would be able to just boot 90% of > the systems, and for the other 10% we'd just add a couple of extension > images next to the kernel image, and that's it. > > (the extension images would be signed dm-verity squashfs, to ensure > everything is authenticated) > > Lennart
Would the extension images also be measured into the TPM? -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
