Announcement

Collapse
No announcement yet.

Fedora Stakeholders Discuss Possibility Of Using Pre-Built Initramfs Images

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #11
    Originally posted by Britoid View Post

    You would be reliant on the userspace to protect unauthorized access to files, so gdm, etc. You have a chain of trust, so you can verify software hasn't been tampered with, but it would fall apart if there's a bug.
    Heh those pesky bugs I've read about using a read-only root filesystem to further limit the attack vector. Good to see so many developments, ideas and solutions to keep us safe.

    Comment

    • #12
      Originally posted by lowlands View Post

      What is the use case for such a setup? Probably stating the obvious but wouldn't "auto-decrypt" defeat the purpose of an encrypted hard drive? I use dracut-sshd to remotely ssh into a booting server to enter the key.
      No, unless you don't know any better so you don't use a LUKS encrypted GRUB that requires a password followed by unlocking everything else VIA key files stored on either /boot/keys or on a USB drive so you can remove it once the keys are used and shit is decrypted.

      I'd rather them move the initramfs out of the archive and over to /boot/init or something like that. If it's going to be a prebuilt and known initramfs, like how /sbin used to contain known boot binaries, then take the stuff out of the damn archive so it's easier to work with.

      Comment

      • #13
        Originally posted by oleid View Post
        Pre-built is fine, as long as you can add additional files
        There already exist mechanisms for an image to load/layer an additional image, so something like a base image, which satisfies many use cases for boot, and allows one to create an additional (much smaller, faster to build) image for any more esoteric devices/drivers and system specific configuration, would appear to be a viable path.

        Comment

        • #14
          Originally posted by skeevy420 View Post

          No, unless you don't know any better so you don't use a LUKS encrypted GRUB that requires a password followed by unlocking everything else VIA key files stored on either /boot/keys or on a USB drive so you can remove it once the keys are used and shit is decrypted.

          I'd rather them move the initramfs out of the archive and over to /boot/init or something like that. If it's going to be a prebuilt and known initramfs, like how /sbin used to contain known boot binaries, then take the stuff out of the damn archive so it's easier to work with.
          It being in an archive allows it to be easily compressed and signed "as one". It's also easier to do atomic upgrades if you're only moving/renaming two files.
          • Likes 2

          Comment

          • #15
            Originally posted by Britoid View Post

            It being in an archive allows it to be easily compressed and signed "as one". It's also easier to do atomic upgrades if you're only moving/renaming two files.
            I know and I don't necessarily disagree, but, still, there has to be some sort of alternative other than "wrapping it all up in an archive". Partition check-summing or something like that.

            Comment

            • #16
              What happened to the idea of removing initramfs entirely with compiled-in storage drivers and keeping kernel boot options in the bootloader? I tried this in Debian for a while and the performance advantage was very noticable from rotating media.
              • Likes 2

              Comment

              • #17
                Originally posted by lowlands View Post

                What is the use case for such a setup? Probably stating the obvious but wouldn't "auto-decrypt" defeat the purpose of an encrypted hard drive?
                Not really. I have a key embedded to initramfs to decrypt the different partitions, so that I don't have to enter the key multiple times during boot. That way I don't have to use lvm.

                The initramfs, however, doesn't live on an unencrypted partition, but on the first encrypted one. Grub is clever enough to understand luks.

                Comment

                • #18
                  Originally posted by Djhg2000 View Post
                  What happened to the idea of removing initramfs entirely with compiled-in storage drivers and keeping kernel boot options in the bootloader? I tried this in Debian for a while and the performance advantage was very noticable from rotating media.
                  ​​​​​​AFAIK only thing missing in my kernel is the SATA driver since ext4 is already compiled in.
                  I will absolutely look into making this happen on my computer. :-)

                  ​​

                  Comment

                  • #19
                    That is a silly idea... pre-built.. *scoff*

                    Systemd-initramfsd duh..

                    Comment

                    • #20
                      Originally posted by k1e0x View Post
                      That is a silly idea... pre-built.. *scoff*

                      Systemd-initramfsd duh..
                      Dracut already has systemd inside of it.

                      Comment

                      Previous 1 2 3 template Next
                      Working...
                      X