On Sa, 27.05.23 08:31, Felix Rubio (fe...@kngnt.org) wrote:
> Hi Lennart,
>
> I remember having read some time ago that UKI could pose problems with
> early-boot modules provided by vendors and so. But... let's give it a try!
> Then, the process should be:
>
> 1. Install a version of shim signed w
On Mo, 29.05.23 11:42, Felix Rubio (fe...@kngnt.org) wrote:
> Hi everybody,
>
> Continuing the work/learning path I started last week, I have had a
> development: Still with shim loading systemd-boot, which can read the kernel
> and initramfs from XBOOTLDR partition, I have introduced LUKS to encr
Just to close this off, because you guys have spend time in helping me
navigate through this: Finally I decided to go for FDE based on the TPM.
Then, most of my concerns where addressed by using PCRs 0,1,7 and 9, so
that initramfs gets also measured. This allows me to keep a separate
boot parti
Hi everybody,
Continuing the work/learning path I started last week, I have had a
development: Still with shim loading systemd-boot, which can read the
kernel and initramfs from XBOOTLDR partition, I have introduced LUKS to
encrypt the root partition (XBOOTLDR is not encrypted).
Originally I
Hi Lennart,
I remember having read some time ago that UKI could pose problems with
early-boot modules provided by vendors and so. But... let's give it a
try! Then, the process should be:
1. Install a version of shim signed with MS keys.
2. Generate the UKI
3. rename the UKI image to grubx64.e
On Do, 25.05.23 10:08, Andrea Pappacoda (and...@pappacoda.it) wrote:
> Il giorno mer 24 mag 2023 alle 14:35:05 +02:00:00, Lennart Poettering
> ha scritto:
> > Note that in systemd git main there's already support for generating
> > UKIs dynamically when a kernel RPM/DEB is installed (as long as t
On Mi, 24.05.23 19:01, Felix Rubio (fe...@kngnt.org) wrote:
> Hi Lennart,
>
> "Sorry, but GPG is a no-go. Not in 2023."
>
> Yes, I understand that. What I am trying to get is a simple way to verify
> that the initramfs has not been tampered with. UKI comes with its own
> challenges, using encrypti
Il giorno mer 24 mag 2023 alle 14:35:05 +02:00:00, Lennart Poettering
ha scritto:
Note that in systemd git main there's already support for generating
UKIs dynamically when a kernel RPM/DEB is installed (as long as the
"kernel-install" infra is in use). It can be signed with a local key,
that ca
Hi Lennart,
"Sorry, but GPG is a no-go. Not in 2023."
Yes, I understand that. What I am trying to get is a simple way to
verify that the initramfs has not been tampered with. UKI comes with its
own challenges, using encryption tied to a measured boot looks overkill,
and I fully agree in which
On Mi, 24.05.23 16:20, Felix Rubio (fe...@kngnt.org) wrote:
> Hi Andrei, Lennart
>
> @Andrei: Do you think, then, that the same private key used for SecureBoot
> could be used for GPG signing the initramfs? That would be cool, as the
> whole boot signing infrastructure would still depend on a sing
Hi Andrei, Lennart
@Andrei: Do you think, then, that the same private key used for
SecureBoot could be used for GPG signing the initramfs? That would be
cool, as the whole boot signing infrastructure would still depend on a
single entity.
@Lennart: I was thinking in using a private key for w
On Mi, 24.05.23 12:22, Felix Rubio (fe...@kngnt.org) wrote:
> I agree that having a measured boot, that decrypts the system is a better
> solution... but this is, correct me if wrong, still very green: There are
> some approaches supported, but none of them seems to be structural: they
> rely on t
On Di, 23.05.23 20:54, Felix Rubio (fe...@kngnt.org) wrote:
> Hi everybody,
>
> I am trying to understand something, and after looking around I have not
> found any explicit answer. Maybe somebody in this list can shed some light
> on the matter? I have a laptop in which I am setting up the boot p
On Wed, May 24, 2023 at 1:22 PM Felix Rubio wrote:
>
> Hi Andrei,
>
> Thank you for correcting my statement about Grub2, I did not know that.
>
> I agree that having a measured boot, that decrypts the system is a
> better solution... but this is, correct me if wrong, still very green:
> There are
Hi Andrei,
Thank you for correcting my statement about Grub2, I did not know that.
I agree that having a measured boot, that decrypts the system is a
better solution... but this is, correct me if wrong, still very green:
There are some approaches supported, but none of them seems to be
struct
On 23.05.2023 21:54, Felix Rubio wrote:
Hi everybody,
I am trying to understand something, and after looking around I have not
found any explicit answer. Maybe somebody in this list can shed some
light on the matter? I have a laptop in which I am setting up the boot
process through systemd-boot,
Hi everybody,
I am trying to understand something, and after looking around I have not
found any explicit answer. Maybe somebody in this list can shed some
light on the matter? I have a laptop in which I am setting up the boot
process through systemd-boot, and this works. Now, I'd like to give
17 matches
Mail list logo