Initramfs Support For Digital Signature Protection
Written by Michael Larabel in Linux Kernel on 5 February 2013 at 02:04 PM EST. 1 Comment
RFC patches were published on Tuesday to provide digital signature protection support for initramfs.

Dmitry Kasatkin is the developer principally responsible for the initramfs digital signature patches. The patches can be found on the mailing list and he's hoping for comments from other kernel developers.

The second patch explains how this digital signature process is handled for the Linux initramfs:
Often initramfs is (re)fabricated on the machine on which it runs. In such cases it is impossible to sign initramfs image, because private key is not supposed to be available.

This patch adds support for additional digitaly signed initramfs images. Digitaly signed initramfs image can be loaded from conventional initramfs image or from rootfs and '/pre-init' is executed prior 'init' from initramfs or root file system. If 'pre-init' fails, kernel panics. Signed initramfs image must be located in '/initramfs-sig.img'.

Digitally signed initramfs can be used to provide protected user-space environment for initialization purpose. For example, LSM, IMA/EVM can be securely initialized using such approach.

Signing is done using scripts/sign-file from kernel source code and uses module signature format and module verification API. Important to note again that signing of such images should be done on the build machine.

Bellow is an example, how to sign compressed initrd (cpio) image:

scripts/sign-file -v signing_key.priv signing_key.x509 initrd.gz initramfs-sig.img

When using initramfs-tools, initramfs-sig.img can be easily included into the conventional initramfs using initramfs-tools hooks, for example, by creating /etc/initramfs-tools/hooks/, and adding following lines there:

About The Author
Author picture

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter or contacted via

Related Linux Kernel News
Popular News
Trending Reviews & Featured Articles