Originally posted by chuckula
View Post
Announcement
Collapse
No announcement yet.
Red Hat Looks For Feedback On Its New Initoverlayfs File-System Proposal
Collapse
X
-
Originally posted by chuckula View Post(But yes, I do see how this would be helpful for the non-custom kernel peasantry)
Comment
-
Originally posted by CommunityMember View Post
Reducing the need for a (monster sized) initramfs to handle all the driver (and especially multiple version firmware) bloat, and storing it in the EFI partition (which, of course, typically needs to be vFAT) will be a good thing going forward. I am not sure this is the best/right approach, but it is, at least, an interesting way forward.
I just get uncomfortable storing a lot of system-critical stuff unencrypted on the ESP with its filesystem which is almost, but not quite, FAT32. (There are some small differences - see the specification available at https://uefi.org/specifications, section 13.3 of the current version (UEFI Specification Version 2.10)). My gut feeling is that there should be more robust error detection and correction features for the storage of the code used for booting devices.
- Likes 1
Comment
-
Originally posted by Old Grouch View Post
Another approach is using GRUB2 that can access an initramfs stored 'elsewhere'. The GRUB2 needs to have the necessary drivers linked/built in to access the other location in read-only mode. My grubx64.efi is 2.5 Megabytes. The amount of 'stuff' on my ESP is minimal. Everything else, including swap, is in a LUKS partition.
I just get uncomfortable storing a lot of system-critical stuff unencrypted on the ESP with its filesystem which is almost, but not quite, FAT32. (There are some small differences - see the specification available at https://uefi.org/specifications, section 13.3 of the current version (UEFI Specification Version 2.10)). My gut feeling is that there should be more robust error detection and correction features for the storage of the code used for booting devices.
If we want to minimize code exposed in unencrypted manner, the solution will be putting decryption logic into the EFI portion of the GRUB bootloader (or any other flavor of bootloaders), then put the Linux kernel inside encrypted partition. But if we want to minimize code exposed in unchecksummed/unsigned manner, we can always add the checksum/signature examination code in bootloader, and run the check each time when the computer boot. The kernel being in FAT32 is not a problem as the checksum/signature file can be put together in this EFI partition too.
p.s. Oh we can also set the bootloader to do such a self-check to itself too. This won't help for malicious temperament but definitely good enough for accidental corruption.Last edited by billyswong; 13 December 2023, 07:25 AM.
- Likes 2
Comment
-
Originally posted by billyswong View PostThe kernel being in FAT32 is not a problem as the checksum/signature file can be put together in this EFI partition too.
Comment
-
Originally posted by caligula View Post
FAT32 won't even support basic POSIX semantics. Even the cheapest routers and toy SBCs come with better bootloaders than UEFI.
Comment
Comment