> On Wed, May 10, 2023 at 2:24 PM Owen Taylor <otaylor(a)redhat.com> wrote: > > fsverity is separate from fscrypt. We can apply filesystem authentication > today.
fsverity does not protect metadata, and most importantly it does not protect the filesystem superblock. It has its uses, but this is not it. > No. It initializes the whole operating system, and then pivots the > user-space later. That's why we have to everything in initramfs. > UKIs attempt to standardize the early-stage image without attempting > to solve this problem, because a two-stage boot process requires > changing how we think about operating system initialization. > > In Windows, the Windows Boot Manager loads the NT > kernel stub from the NTFS volume, which then loads the minimal > operating system environment, and bootstraps the full Windows > experience. The Windows Boot Manager has just enough to handle > BitLocker and NTFS, and then transfers the rest to Windows itself. It is really not that different than the initrd approach. Just the storage is different, but that's easier when you own both filesystems implementations. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue