sobczykhi does the efistub loader verify initrd image too?13:55
apwsobczyk, the initrd is not signed, any more than the root disk is13:57
ogra_and with the concept of regulary rebuilding it on upgrades signing it with a secure archive key is somewhat impossible 13:58
sobczykogra_: I want to swap all uefi keys for mine and use luks with TPM13:59
sobczykso allwing for unsecure initrd is a risk13:59
ogra_well, happy scripting then :) 14:00
sobczykscripting is easi, if you know where to look, I don't know if to use efistub or grub-efi14:01
ogra_i guess you want a hook or something in hook-functions then14:01
ogra_(not sure though, they might run to early, perhaps you actually need to hack update-initramfs itself)14:01
sobczykogra_: that's what I'll probably do, I'll need to modify more of the system anyway14:02
sobczykbut first I need to know if noone modified the initrd14:03
ogra_check /var/lib/initramfs-tools/ ... there are md5 sums 14:03
apwsobczyk, that doesn't really work, you need to know noone has modified any of the tools in the initrd14:41
apwsobczyk, which we do often when we sru a component package14:41
sobczykapw: uefi checks grub, grub checks kernel and initrd, but I'll need to check if it's doable14:43
sobczykapw: another approach is to merge initrd into kernel, and sign that binary14:43
apwsobczyk, i presume you will need to somehow sign the initrd, right either making your own kernle with it included, or simply signing the initrd and checking that in the grub loader14:44
sobczykbut I don't know if it's possible with precompiled binary vmlinux, or requires custom compiled kernel14:44
apwsobczyk, but ... you need to be able to rebuild the initrd from the tools on the system, and validating those, is hard at best14:44
apwsobczyk, to build it into the kernel you need to rebuild it from scratch14:44
sobczykapw: the root image will be prebuild, and non-modifiable, so it's not an issue14:45
apwsobczyk, then i'd say just sign the initrd in there, and work out how to verify it in grub214:45
apwas that can check the kernel against the kek, i assume if you have your own key in the kek, you are golden14:45
sobczykapw: yes, that seems to be the easiest approach, I just need to read grub docs how to check other files than the kernel14:46
apwsobczyk, though if the disk is verifyably read-only i am not sure i know why you care to14:48
sobczykit'll be luks encrypted with keys in TPM14:48
sobczykI need to be sure noone can boot unverified software to extract the keys14:48
apwso presumably that also means you need to verify the grub configuration somehow too14:49
apwas that and the kernel et al are (i assume) in an unecrypted /boot somewhere14:49
sobczykgrub can embed config file14:49
apwembed it it what though ?14:50
sobczykapw: "grub-mkimage -c" so the initial config can check all other files14:51
sobczykI'm guessing though, I've never modified grub to such an extent14:51
apwsobczyk, oh i see, embed the entire config and sign the whole, ok14:52
lamontjsalisbury: if it makes life easier, you can remind me of the process (script) for building arbitrary kernels (which I'd like to know the current state of anyway), and I can just run with the bisect here and save you the pain15:06
jsalisburylamont, there is a wiki, but I can start building you more kernels today:15:09
jsalisburylamont, the next kernel should be ready in about 20 minutes15:11
lamontjsalisbury: cool. https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel would be the actual challenge I was facing... I suspect I'll let you keep building them, since my build time would be closer to 45-60 min per kernel, and I expect that we both have other commitments this evening anyway15:15
lamontjsalisbury: pls holler when it's ready for me15:15
=== kamal__ is now known as kamal
jsalisburylamont, Posted next test kernel in bug report.16:58
mjg59sobczyk: Measure the TPM and you don't have to worry about signing it18:00
mjg59The EFI stub loader doesn't support that, though18:00
mjg59(and nor does upstream grub)18:00
=== dax is now known as rww
=== rww is now known as dax
=== DevBox|2 is now known as DevBox
=== Madkiss_ is now known as Madkiss
=== neunon_ is now known as neunon
=== _Traxer is now known as Traxer
=== psivaa_ is now known as psivaa
=== spossiba_ is now known as spossiba
=== zkanda_ is now known as zkanda
=== Trevinho_ is now known as Trevinho
=== stgraber_ is now known as stgraber

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!