Chris Murphy wrote:
There was some discussion about 18 months ago on the file system layout [1]. It also mentions the Boot Loader Specification.
systemd 252 NEWS [2] mentions changes and clarifications in sd-boot, bootctl, and the Boot Loader Specification. And it's got me wondering if there's interest in openSUSE adopting Boot Loader Spec?
I can't speak for others but I am intested :-)
I recently came across Boom[3] a project to manage BLS snippets for the boot-to-snapshot use case, Btrfs and LVM.
One hurdle is BLS pretty much obviates the idea of an encrypted $BOOT, which openSUSE supports right now. While the kernel and initramfs are not secrets, thus don't need confidentiality, the initrd in particular needs to be protected from malicious insertions, which (somewhat indirectly) encryption achieves. Whether no initramfs or implementing BLS Type 2 (EFI Unified Kernel Images, which includes an initrd and bootloader config, and the whole thing is signed), suggests pretty significant changes to implement.
As long as we don't secure the whole boot chain using eg tpm, it doesn't really matter whether the initrd is within the encrypted volume or not. I think people have a false sense of security with encrypted /boot as it is now. Anyway, yes initrd authentication needs to be solved at some point to counter evil maid attacks but is not a blocker for BLS IMO.
Any recent thoughts on the general direction to go in? Thanks.
In general I think we should prepare for BLS/sd-boot. To solve the snapshot issue I made a PoC that hooks into snapper while ago: https://build.opensuse.org/package/show/home:lnussel:legacyfree/kernel-insta... Works on both traditional systems as well as MicroOS. Here's an image that boots with sd-boot and has snapshots support: https://build.opensuse.org/package/binaries/home:lnussel:legacyfree/openSUSE... Also some upstream discussion: https://github.com/systemd/systemd/pull/23841 In the long run we need some more radical changes though. I don't think /.snaphots, transactional-update and overlayfs hacks to fool packages are things to keep going forward. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Software Solutions Germany GmbH, GF: Ivo Totev HRB 36809 (AG Nürnberg)