Fedora Stakeholders Discuss Possibility Of Using Pre-Built Initramfs Images
Another alternative to slow initramfs generation could be distributing pre-built initramfs images to users. An additional benefit of that is possibly better security with measured boot capabilities, a matter currently being discussed by Fedora stakeholders.
Fedora from time-to-time has brought up the topic of using pre-built initramfs images and that happened again last week by former Red Hat employee turned Googler Matthew Garrett. He brought up a possible proposal to ship prebuilt initramfs images in the name of better security with measured boot.
As he explained, "Measured boot involves generating cryptographic measurements of boot components and configuration and using that to either control access to a local secret (in the case of sealing secrets to a TPM) or proving to another device (eg, a remote server or a local phone) what was booted. We're shipping most of the infrastructure to do this, but we're still left with a pretty fundamental problem - we need to know what the expected values are in order to know whether something's been tampered with or not."
Due to the initramfs images being generated client-side, the measurements aren't the same across systems. But with pre-built initramfs images having to contain more kernel modules than needed for most users and other special case handling to deal with, it's not a trivial change by any means.
The discussion over this latest attempt at possibly using pre-built initramfs images on Fedora is being discussed via this mailing list thread.
Fedora from time-to-time has brought up the topic of using pre-built initramfs images and that happened again last week by former Red Hat employee turned Googler Matthew Garrett. He brought up a possible proposal to ship prebuilt initramfs images in the name of better security with measured boot.
As he explained, "Measured boot involves generating cryptographic measurements of boot components and configuration and using that to either control access to a local secret (in the case of sealing secrets to a TPM) or proving to another device (eg, a remote server or a local phone) what was booted. We're shipping most of the infrastructure to do this, but we're still left with a pretty fundamental problem - we need to know what the expected values are in order to know whether something's been tampered with or not."
Due to the initramfs images being generated client-side, the measurements aren't the same across systems. But with pre-built initramfs images having to contain more kernel modules than needed for most users and other special case handling to deal with, it's not a trivial change by any means.
The discussion over this latest attempt at possibly using pre-built initramfs images on Fedora is being discussed via this mailing list thread.
25 Comments