Andrei Borzenkov wrote:
There is always the possibility of a rogue kernel module installed through some remotely exploited vulnerability inside of an unlocked LUKS container. Whether it is more realistic than someone getting hold of your notebook and purposefully installing initrd replacement I do not know. Is the key used to sign kernel images physically present on the same system where the kernel is used? This is yet another attack vector. This is a work computer. My threat model is someone doing stuff with it while i'm out of office, not remote exploits.
Secure Boot prevents that. So you do not want to sign kernel modules at all, correct? But in this case you do not need Secure Boot either, you can unlock LUKS via TPM which fails if measurements change (e.g. someone replaced initrd). Does Dracut support doing so automatically, or is it something i would need to do after every kernel or nvidia update?