| sobczyk | hi does the efistub loader verify initrd image too? | 13:55 |
|---|---|---|
| apw | sobczyk, the initrd is not signed, any more than the root disk is | 13:57 |
| ogra_ | and with the concept of regulary rebuilding it on upgrades signing it with a secure archive key is somewhat impossible | 13:58 |
| sobczyk | ogra_: I want to swap all uefi keys for mine and use luks with TPM | 13:59 |
| sobczyk | so allwing for unsecure initrd is a risk | 13:59 |
| ogra_ | well, happy scripting then :) | 14:00 |
| sobczyk | scripting is easi, if you know where to look, I don't know if to use efistub or grub-efi | 14:01 |
| ogra_ | i guess you want a hook or something in hook-functions then | 14:01 |
| ogra_ | (not sure though, they might run to early, perhaps you actually need to hack update-initramfs itself) | 14:01 |
| sobczyk | ogra_: that's what I'll probably do, I'll need to modify more of the system anyway | 14:02 |
| sobczyk | but first I need to know if noone modified the initrd | 14:03 |
| ogra_ | check /var/lib/initramfs-tools/ ... there are md5 sums | 14:03 |
| apw | sobczyk, that doesn't really work, you need to know noone has modified any of the tools in the initrd | 14:41 |
| apw | sobczyk, which we do often when we sru a component package | 14:41 |
| sobczyk | apw: uefi checks grub, grub checks kernel and initrd, but I'll need to check if it's doable | 14:43 |
| sobczyk | apw: another approach is to merge initrd into kernel, and sign that binary | 14:43 |
| apw | sobczyk, i presume you will need to somehow sign the initrd, right either making your own kernle with it included, or simply signing the initrd and checking that in the grub loader | 14:44 |
| sobczyk | but I don't know if it's possible with precompiled binary vmlinux, or requires custom compiled kernel | 14:44 |
| apw | sobczyk, but ... you need to be able to rebuild the initrd from the tools on the system, and validating those, is hard at best | 14:44 |
| apw | sobczyk, to build it into the kernel you need to rebuild it from scratch | 14:44 |
| sobczyk | apw: the root image will be prebuild, and non-modifiable, so it's not an issue | 14:45 |
| apw | sobczyk, then i'd say just sign the initrd in there, and work out how to verify it in grub2 | 14:45 |
| apw | as that can check the kernel against the kek, i assume if you have your own key in the kek, you are golden | 14:45 |
| sobczyk | apw: yes, that seems to be the easiest approach, I just need to read grub docs how to check other files than the kernel | 14:46 |
| apw | sobczyk, though if the disk is verifyably read-only i am not sure i know why you care to | 14:48 |
| sobczyk | it'll be luks encrypted with keys in TPM | 14:48 |
| sobczyk | I need to be sure noone can boot unverified software to extract the keys | 14:48 |
| apw | so presumably that also means you need to verify the grub configuration somehow too | 14:49 |
| apw | as that and the kernel et al are (i assume) in an unecrypted /boot somewhere | 14:49 |
| sobczyk | grub can embed config file | 14:49 |
| apw | embed it it what though ? | 14:50 |
| sobczyk | apw: "grub-mkimage -c" so the initial config can check all other files | 14:51 |
| sobczyk | I'm guessing though, I've never modified grub to such an extent | 14:51 |
| apw | sobczyk, oh i see, embed the entire config and sign the whole, ok | 14:52 |
| lamont | jsalisbury: if it makes life easier, you can remind me of the process (script) for building arbitrary kernels (which I'd like to know the current state of anyway), and I can just run with the bisect here and save you the pain | 15:06 |
| jsalisbury | lamont, there is a wiki, but I can start building you more kernels today: | 15:09 |
| jsalisbury | https://wiki.ubuntu.com/Kernel/KernelBisection | 15:09 |
| jsalisbury | lamont, the next kernel should be ready in about 20 minutes | 15:11 |
| lamont | jsalisbury: cool. https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel would be the actual challenge I was facing... I suspect I'll let you keep building them, since my build time would be closer to 45-60 min per kernel, and I expect that we both have other commitments this evening anyway | 15:15 |
| lamont | jsalisbury: pls holler when it's ready for me | 15:15 |
| === kamal__ is now known as kamal | ||
| jsalisbury | lamont, Posted next test kernel in bug report. | 16:58 |
| lamont | \o/ | 17:05 |
| mjg59 | sobczyk: Measure the TPM and you don't have to worry about signing it | 18:00 |
| mjg59 | The EFI stub loader doesn't support that, though | 18:00 |
| mjg59 | (and nor does upstream grub) | 18:00 |
| === dax is now known as rww | ||
| === rww is now known as dax | ||
| === DevBox|2 is now known as DevBox | ||
| === Madkiss_ is now known as Madkiss | ||
| === neunon_ is now known as neunon | ||
| === _Traxer is now known as Traxer | ||
| === psivaa_ is now known as psivaa | ||
| === spossiba_ is now known as spossiba | ||
| === zkanda_ is now known as zkanda | ||
| === Trevinho_ is now known as Trevinho | ||
| === stgraber_ is now known as stgraber | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!