On Di, 19.07.22 16:15, Gerd Hoffmann (kra...@redhat.com) wrote: > > Moreover, this allows us to implemented TPM policies that bind to > > signatures of PCR hashes, instead of the literal hash values. That > > makes the measurements a *million* times more useful, since we loose > > the brittleness on updates: if the expected PCR values can be > > pre-calculated by the vendor, and then be signed, then an update won't > > invalidate the policies anymore. > > Another case which requires creating initrds at build time.
Yupp. Zbigniew and I are working on making pre-built initrds for general purpose distros a reality, i.e. finding a way between keeping things reasonably modular but also pre-generated, immutable, pre-measurable, and thus have a tight trust chain at boot. We'll do two talks about that at Linux Plumbers Conference later this year. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
