Hi everybody,

Continuing the work/learning path I started last week, I have had a development: Still with shim loading systemd-boot, which can read the kernel and initramfs from XBOOTLDR partition, I have introduced LUKS to encrypt the root partition (XBOOTLDR is not encrypted).

Originally I was planning to move from this to UKI so that I can make sure that both kernel and initramfs are checked before booting, but today I have considered a different course of action: Should I use the TPM to store a key to decrypt the disk like this:

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+7+9

Then, by using PCR9 the initrd would be checked before allowing the boot sequence to continue. By doing this, then, I do not have to switch to UKI until I have learned more about it.

Do you guys think this reasoning is flawed?

Thank you,

---
Felix Rubio
"Don't believe what you're told. Double check."

On 2023-05-25 10:26, Lennart Poettering wrote:
On Mi, 24.05.23 19:01, Felix Rubio (fe...@kngnt.org) wrote:

Hi Lennart,

"Sorry, but GPG is a no-go. Not in 2023."

Yes, I understand that. What I am trying to get is a simple way to verify
that the initramfs has not been tampered with. UKI comes with its own
challenges, using encryption tied to a measured boot looks overkill, and I
fully agree in which adding an authentication layer is not
desirable.

I am not sure what "challenges" you specifically have in mind, but a
UKI with an initrd in a PE envelope (i.e. the "add-on" concept I
mentioned), then you should be pretty close to current behaviour, no?

Then... what alternatives are available for just performing verification of the initramfs? I was giving a look at IMA now, so this could be sorted with
a policy... but I think this is not supported in sd-boot.

IMA verifies files after the kernel is up, not before. It's not
suitable for validating initrds.

Anway, you should really ask yourself what cryptographic key you want
to authenticate against. Local or vendor one, and where shall it be
stored. That dictates your choices more than anything else.

In the case I wrap the initramfs on a PE envelope, as you suggested, when then its signature be validated automatically? when it gets loaded? Because,
if so... this would work enough for this use case.

In the "add-on" module for UKIs I mentioned the validation of both the
UKI and the add-ons are done via regular UEFI SecureBoot or via
shim. Both UKIs and add-ons are just PE files after all that thus can
be verified that way. Because the files can be authenticated via shim
you get MOK and so on.

Lennart

--
Lennart Poettering, Berlin

Reply via email to