With the advent of UKI's wrapping kernel and cpio archives up into
single UEFI PE executables it seems like its probably time to
reconsider whether the core idea of signing the initrd and verifying
it in its entirely is a useful function of the core kernel.
Moving this functionality in the kernel should provide a similar
security statement to the UKIs with a more traditional kernel + initrd
boot flow and the ability to have a single kernel image that
selects between multiple signed initrd images. Say a normal boot
image, and a recovery image.
This set is a very basic implementation of that concept using the kernel
built in trusted keyring, and a signature format that is similar to the
existing module signature. The core change is quite trivial with the larger
questions around the policy for enforcing or simply checking
for a valid signature. I've considered various policies, tying it to
lockdown/etc but this set simply enforces it by default with an kernel
parameter to override the behavior.
Outside of the core patch the largest change revolves around making
sure that the asymmetric key and built in cert/keyring/blacklist logic
is started much earlier in the boot process than normal. This means
that beyond the hacky _initcall changes in patch 2 there are a bit of
additional Kconfig changes necessary.
Finally, before the RFC is dropped there are a number of
/Documentation changes that will be completed as needed.
Jeremy Linton (5):
initramfs: Add initramfs signature checking
KEYS/certs: Start the builtin key and cert system earlier
initramfs: Use existing module signing infrastructure
sign-file: Add -i option to sign initramfs images
initramfs: Enforce initramfs signature
certs/blacklist.c | 2 +-
certs/system_keyring.c | 4 +-
crypto/asymmetric_keys/asymmetric_type.c | 2 +-
crypto/asymmetric_keys/x509_public_key.c | 2 +-
include/linux/initrd.h | 3 +
init/initramfs.c | 84 +++++++++++++++++++++++-
scripts/sign-file.c | 11 +++-
usr/Kconfig | 9 +++
8 files changed, 109 insertions(+), 8 deletions(-)
--
2.46.0