1. Computers
  2. Display Drivers
  3. Graphics Cards
  4. Memory
  5. Motherboards
  6. Processors
  7. Software
  8. Storage
  9. Operating Systems


Facebook RSS Twitter Twitter Google Plus


Phoronix Test Suite

OpenBenchmarking.org

Initramfs Support For Digital Signature Protection

Linux Kernel

Published on 05 February 2013 02:04 PM EST
Written by Michael Larabel in Linux Kernel
1 Comment

RFC patches were published on Tuesday to provide digital signature protection support for initramfs.

Dmitry Kasatkin is the developer principally responsible for the initramfs digital signature patches. The patches can be found on the mailing list and he's hoping for comments from other kernel developers.

The second patch explains how this digital signature process is handled for the Linux initramfs:
Often initramfs is (re)fabricated on the machine on which it runs. In such cases it is impossible to sign initramfs image, because private key is not supposed to be available.

This patch adds support for additional digitaly signed initramfs images. Digitaly signed initramfs image can be loaded from conventional initramfs image or from rootfs and '/pre-init' is executed prior 'init' from initramfs or root file system. If 'pre-init' fails, kernel panics. Signed initramfs image must be located in '/initramfs-sig.img'.

Digitally signed initramfs can be used to provide protected user-space environment for initialization purpose. For example, LSM, IMA/EVM can be securely initialized using such approach.

Signing is done using scripts/sign-file from kernel source code and uses module signature format and module verification API. Important to note again that signing of such images should be done on the build machine.

Bellow is an example, how to sign compressed initrd (cpio) image:

scripts/sign-file -v signing_key.priv signing_key.x509 initrd.gz initramfs-sig.img

When using initramfs-tools, initramfs-sig.img can be easily included into the conventional initramfs using initramfs-tools hooks, for example, by creating /etc/initramfs-tools/hooks/initramfs_sig.sh, and adding following lines there:

Latest Linux Hardware Reviews
  1. ASUS AM1I-A: A Mini-ITX Board For Socketed Kabini APUs
  2. Mini-Box M350: A Simple, Affordable Mini-ITX Case
  3. Overclocking The AMD AM1 Athlon & Sempron APUs
  4. AMD Athlon 5350 / 5150 & Sempron 3850 / 2650
Latest Linux Articles
  1. Ubuntu 12.04.4 vs. 13.10 vs. 14.04 LTS Desktop Benchmarks
  2. AMD OpenCL Performance With AM1 Kabini APUs
  3. A Quick Look At GCC 4.9 vs. LLVM Clang 3.5
  4. Are AMD Athlon/Sempron APUs Fast Enough For Steam On Linux?
Latest Linux News
  1. FreeBSD Advances For ARM, Bhyve, Clang
  2. Ubuntu 14.04 LTS "Trusty Tahr" Officially Released
  3. Ubuntu 12.04 LTS vs. 14.04 LTS Server Benchmarks
  4. QEMU 2.0 Released With ARM, x86 Enhancements
  5. Running The Unity 8 Preview Session On Ubuntu 14.04 LTS
  6. R600 Gallium3D Disables LLVM Back-End By Default
  7. Fedora 21 Gets GNOME 3.12, PHP 5.6, Mono 3.4
  8. Fedora Workstation Is Making Me Quite Excited
  9. Maynard: A Lightweight Wayland Desktop
  10. Chromium Browser Going Through Growing Pains In Ubuntu 14.04
  11. KDE 4.13 Is Being Released Today With New Features
  12. Trying Out Radeon R9 290 Graphics On Open-Source
Latest Forum Discussions
  1. Linux Kernel Developers Fed Up With Ridiculous Bugs In Systemd
  2. Updated and Optimized Ubuntu Free Graphics Drivers
  3. The GNOME Foundation Is Running Short On Money
  4. Radeon 8000M problematic on Linux?
  5. After Jack Keane, RuseSoft will briing Ankh 3 to Linux through Desura
  6. Suspected PHP Proxy Issue
  7. Change installation destination from home directory
  8. Bye bye BSD, Hello Linux: A Sys Admin's Story