Re: Producing verifiable initramfs images

[Niels Thykier <niels-g5vtf2JUtkjR7s880joybQ@public.gmane.org>]

Matthew Garrett:
> [...]
> 
> The second is a different problem, but still seems achievable. Each
> package that potentially adds content to the initramfs could provide a
> pre-build CPIO containing its code, and based on local configuration
> we can ask grub to load those as well.
> 
> This would result in something that's roughly equivalent to our
> current situation, but would allow us to verify that the initramfs
> images containing code hadn't been tampered with. [...]
> 
> A minimal proof of concept here would presumably be a patch to the
> kernel package to build an initramfs binary package, and then some
> additional tooling to copy appropriate config to the boot partition
> and have grub pick that up. Does anybody have any strong feelings on
> the topic? If not, I'll try to mock this up.
> 

Hi Matthew,

Thanks for working on making initramfs verifiable. :)

Let me know if/when there are any changes need to dh_installinitramfs
and I will happy to review them.  At the moment, it is just an easy way
to inject "update-initramfs -u" in the relevant maintscripts if the
package has a /usr/share/initramfs-tools/hooks.

If we can solve this without using maintscripts, I would be even happier
and am ready to do my part in that if you need any help there!  I know
it is not the main goal of what you are trying to here and nor should it
be a blocker for it - this is just me hoping for the best! :)

~Niels