This development sounds great for servers with higher security requirements and seems like a logical continuation of the trend around layered, immutable system images.
Even in case of root access, embedding malware into the initrd will become impossible. Start a small hypervisor or xen dom0 this way and it'll greatly increase the chance that you can get rid of an infection just by rebooting the machine (provided that it isn't embedded into a guest VM and can just break out of the VM jail again).
Since not every distribution is going to adopt this new behaviour and regular general purpose distros tend to not use immutable system images, one can just switch over to dracut/mkinitcpio/initramfs-tools/mkinitramfs/genkernel/... if he doesn't like this new initrd concept or even avoid it entirely.
IMO having more options on how to do things is nearly always positive if it's just an opt-in/opt-out kind of thing.
Even in case of root access, embedding malware into the initrd will become impossible. Start a small hypervisor or xen dom0 this way and it'll greatly increase the chance that you can get rid of an infection just by rebooting the machine (provided that it isn't embedded into a guest VM and can just break out of the VM jail again).
Since not every distribution is going to adopt this new behaviour and regular general purpose distros tend to not use immutable system images, one can just switch over to dracut/mkinitcpio/initramfs-tools/mkinitramfs/genkernel/... if he doesn't like this new initrd concept or even avoid it entirely.
IMO having more options on how to do things is nearly always positive if it's just an opt-in/opt-out kind of thing.
Comment