You are not logged in.
- Topics: Active | Unanswered
#1 2022-01-25 10:01:12
- musbur
- Member
- Registered: 2022-01-14
- Posts: 65
Secure Boot: Wouldn't initramfs have to be signed, too?
Hello,
after much back and forth I've finally managed to set up Secure Boot (SB). My motivation isn't so much that I really need full security -- I just don't want people browsing my stuff after finding my stolen or lost laptop, and the encrypted SSD takes care of that. But this is a company Windows laptop with mandatory SB and Bitlocker, and I had to switch off SB in the BIOS set up each time I wanted to boot Linux.
Anyway, that's taken care of using this documentation.
But I have a question: The setup with signed shim / GRUB loader / kernel is supposed to ensure that nobody could smuggle a doctored kernel or boot loader onto my machine lest it get compromised the next time I enter my LUKS passphrase on booting. But what about initramfs? Couldn't that be tampered with, or is it "married" to the signed kernel in some other clever way?
Offline
#2 2022-01-25 10:36:48
- Raynman
- Member
- Registered: 2011-10-22
- Posts: 1,539
Re: Secure Boot: Wouldn't initramfs have to be signed, too?
Isn't that why it says to use a unified kernel image? Condition 3 in https://wiki.archlinux.org/title/Unifie … ecure_Boot
Offline
#3 2022-01-25 16:08:40
- musbur
- Member
- Registered: 2022-01-14
- Posts: 65
Re: Secure Boot: Wouldn't initramfs have to be signed, too?
Yes, you're probably right. My grasp of the whole subject is a tad shaky, which is why I stuck to the lower part where it talks about GRUB and shim -- stuff I'm familiar with from my Debian experience.
Offline
#4 2022-01-25 16:16:40
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 8,580
- Website
Re: Secure Boot: Wouldn't initramfs have to be signed, too?
For a unified kernel image the boot can be verified by checking
tpm2_pccread sha256:7^ That shows the sha256sum for the SecureBoot PCR variable in the TPM chip.
A systemd .timer could be run to check this at boot and notify the user (or even just power off the machine) if the checksum doesn't match.
EDIT: for encrypted systems see these useful blog posts:
https://pawitp.medium.com/full-disk-enc … 892cab9704
https://pawitp.medium.com/the-correct-w … 421796eade
Last edited by Head_on_a_Stick (2022-01-25 16:22:19)
Jin, Jiyan, Azadî
Offline