[13:55] hi does the efistub loader verify initrd image too? [13:57] sobczyk, the initrd is not signed, any more than the root disk is [13:58] and with the concept of regulary rebuilding it on upgrades signing it with a secure archive key is somewhat impossible [13:59] ogra_: I want to swap all uefi keys for mine and use luks with TPM [13:59] so allwing for unsecure initrd is a risk [14:00] well, happy scripting then :) [14:01] scripting is easi, if you know where to look, I don't know if to use efistub or grub-efi [14:01] i guess you want a hook or something in hook-functions then [14:01] (not sure though, they might run to early, perhaps you actually need to hack update-initramfs itself) [14:02] ogra_: that's what I'll probably do, I'll need to modify more of the system anyway [14:03] but first I need to know if noone modified the initrd [14:03] check /var/lib/initramfs-tools/ ... there are md5 sums [14:41] sobczyk, that doesn't really work, you need to know noone has modified any of the tools in the initrd [14:41] sobczyk, which we do often when we sru a component package [14:43] apw: uefi checks grub, grub checks kernel and initrd, but I'll need to check if it's doable [14:43] apw: another approach is to merge initrd into kernel, and sign that binary [14:44] sobczyk, i presume you will need to somehow sign the initrd, right either making your own kernle with it included, or simply signing the initrd and checking that in the grub loader [14:44] but I don't know if it's possible with precompiled binary vmlinux, or requires custom compiled kernel [14:44] sobczyk, but ... you need to be able to rebuild the initrd from the tools on the system, and validating those, is hard at best [14:44] sobczyk, to build it into the kernel you need to rebuild it from scratch [14:45] apw: the root image will be prebuild, and non-modifiable, so it's not an issue [14:45] sobczyk, then i'd say just sign the initrd in there, and work out how to verify it in grub2 [14:45] as that can check the kernel against the kek, i assume if you have your own key in the kek, you are golden [14:46] apw: yes, that seems to be the easiest approach, I just need to read grub docs how to check other files than the kernel [14:48] sobczyk, though if the disk is verifyably read-only i am not sure i know why you care to [14:48] it'll be luks encrypted with keys in TPM [14:48] I need to be sure noone can boot unverified software to extract the keys [14:49] so presumably that also means you need to verify the grub configuration somehow too [14:49] as that and the kernel et al are (i assume) in an unecrypted /boot somewhere [14:49] grub can embed config file [14:50] embed it it what though ? [14:51] apw: "grub-mkimage -c" so the initial config can check all other files [14:51] I'm guessing though, I've never modified grub to such an extent [14:52] sobczyk, oh i see, embed the entire config and sign the whole, ok [15:06] jsalisbury: if it makes life easier, you can remind me of the process (script) for building arbitrary kernels (which I'd like to know the current state of anyway), and I can just run with the bisect here and save you the pain [15:09] lamont, there is a wiki, but I can start building you more kernels today: [15:09] https://wiki.ubuntu.com/Kernel/KernelBisection [15:11] lamont, the next kernel should be ready in about 20 minutes [15:15] jsalisbury: cool. https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel would be the actual challenge I was facing... I suspect I'll let you keep building them, since my build time would be closer to 45-60 min per kernel, and I expect that we both have other commitments this evening anyway [15:15] jsalisbury: pls holler when it's ready for me === kamal__ is now known as kamal [16:58] lamont, Posted next test kernel in bug report. [17:05] \o/ [18:00] sobczyk: Measure the TPM and you don't have to worry about signing it [18:00] The EFI stub loader doesn't support that, though [18:00] (and nor does upstream grub) === dax is now known as rww === rww is now known as dax === DevBox|2 is now known as DevBox === Madkiss_ is now known as Madkiss === neunon_ is now known as neunon === _Traxer is now known as Traxer === psivaa_ is now known as psivaa === spossiba_ is now known as spossiba === zkanda_ is now known as zkanda === Trevinho_ is now known as Trevinho === stgraber_ is now known as stgraber