You're right—unsigned initrds remain a security gap in most classic setups today. Currently, our officially supported solutions to address this are:
Ubuntu Core: Utilizes a signed kernel and initrd bundle. TPM-based FDE on Classic: Also employs a signed kernel and initrd bundle. While we recognize the need for improvement, enabling pre-signed initrd on non-TPM FDE classic systems is a major undertaking. It would require moving away from locally built initrds and forcing all packages with initrd hooks to use pre-built, pre-signed extensions. I view the transition to signed initrds as more likely than extending GRUB feature support. This is partly due to the growing pre-kernel attack surface on Secure Boot, but also because we are wary of the 'grand unified' bootloader model. A bootloader with excessive features becomes a security and maintainability hazard that is nearly impossible to replace. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2141233 Title: 26.04: outdated signed GRUB (Secure Boot) cannot unlock LUKS2 /boot with Argon2 (argon2i/argon2id) KDF – needs update + signed artifacts parity To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/2141233/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
