[13:55] <sobczyk> hi does the efistub loader verify initrd image too?
[13:57] <apw> sobczyk, the initrd is not signed, any more than the root disk is
[13:58] <ogra_> and with the concept of regulary rebuilding it on upgrades signing it with a secure archive key is somewhat impossible 
[13:59] <sobczyk> ogra_: I want to swap all uefi keys for mine and use luks with TPM
[13:59] <sobczyk> so allwing for unsecure initrd is a risk
[14:00] <ogra_> well, happy scripting then :) 
[14:01] <sobczyk> scripting is easi, if you know where to look, I don't know if to use efistub or grub-efi
[14:01] <ogra_> i guess you want a hook or something in hook-functions then
[14:01] <ogra_> (not sure though, they might run to early, perhaps you actually need to hack update-initramfs itself)
[14:02] <sobczyk> ogra_: that's what I'll probably do, I'll need to modify more of the system anyway
[14:03] <sobczyk> but first I need to know if noone modified the initrd
[14:03] <ogra_> check /var/lib/initramfs-tools/ ... there are md5 sums 
[14:41] <apw> sobczyk, that doesn't really work, you need to know noone has modified any of the tools in the initrd
[14:41] <apw> sobczyk, which we do often when we sru a component package
[14:43] <sobczyk> apw: uefi checks grub, grub checks kernel and initrd, but I'll need to check if it's doable
[14:43] <sobczyk> apw: another approach is to merge initrd into kernel, and sign that binary
[14:44] <apw> sobczyk, i presume you will need to somehow sign the initrd, right either making your own kernle with it included, or simply signing the initrd and checking that in the grub loader
[14:44] <sobczyk> but I don't know if it's possible with precompiled binary vmlinux, or requires custom compiled kernel
[14:44] <apw> sobczyk, but ... you need to be able to rebuild the initrd from the tools on the system, and validating those, is hard at best
[14:44] <apw> sobczyk, to build it into the kernel you need to rebuild it from scratch
[14:45] <sobczyk> apw: the root image will be prebuild, and non-modifiable, so it's not an issue
[14:45] <apw> sobczyk, then i'd say just sign the initrd in there, and work out how to verify it in grub2
[14:45] <apw> as that can check the kernel against the kek, i assume if you have your own key in the kek, you are golden
[14:46] <sobczyk> apw: yes, that seems to be the easiest approach, I just need to read grub docs how to check other files than the kernel
[14:48] <apw> sobczyk, though if the disk is verifyably read-only i am not sure i know why you care to
[14:48] <sobczyk> it'll be luks encrypted with keys in TPM
[14:48] <sobczyk> I need to be sure noone can boot unverified software to extract the keys
[14:49] <apw> so presumably that also means you need to verify the grub configuration somehow too
[14:49] <apw> as that and the kernel et al are (i assume) in an unecrypted /boot somewhere
[14:49] <sobczyk> grub can embed config file
[14:50] <apw> embed it it what though ?
[14:51] <sobczyk> apw: "grub-mkimage -c" so the initial config can check all other files
[14:51] <sobczyk> I'm guessing though, I've never modified grub to such an extent
[14:52] <apw> sobczyk, oh i see, embed the entire config and sign the whole, ok
[15:06] <lamont> jsalisbury: if it makes life easier, you can remind me of the process (script) for building arbitrary kernels (which I'd like to know the current state of anyway), and I can just run with the bisect here and save you the pain
[15:09] <jsalisbury> lamont, there is a wiki, but I can start building you more kernels today:
[15:09] <jsalisbury> https://wiki.ubuntu.com/Kernel/KernelBisection
[15:11] <jsalisbury> lamont, the next kernel should be ready in about 20 minutes
[15:15] <lamont> jsalisbury: cool. https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel would be the actual challenge I was facing... I suspect I'll let you keep building them, since my build time would be closer to 45-60 min per kernel, and I expect that we both have other commitments this evening anyway
[15:15] <lamont> jsalisbury: pls holler when it's ready for me
[16:58] <jsalisbury> lamont, Posted next test kernel in bug report.
[17:05] <lamont> \o/
[18:00] <mjg59> sobczyk: Measure the TPM and you don't have to worry about signing it
[18:00] <mjg59> The EFI stub loader doesn't support that, though
[18:00] <mjg59> (and nor does upstream grub)