Kasatkin, Dmitry <dmitry.kasat...@intel.com> wrote: > What about the case when running from integrity protected initramfs? > Either embedded into the signed kernel, or verified by the boot loader. > In such case it is possible to assume that all keys which are added by > user space are implicitly trusted. > Later on, before continuing booting normal rootfs, set the key > subsystem state (trust-lock), > so that trusted keyrings accept only explicitly trusted keys... > > Does it make sense?
I'm not sure it does. Initramfs is (re-)fabricated on the machine on which it runs any time you update one of a set of rpms (such as the kernel rpm) because it has machine-specific data and drivers in it. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
