I wonder if devs have considered to switch to Unified Kernel Images before? Existing tools are able to create such images already but the installation scripts needs to be updated. That would allow to simplify the booting process when Secure Boot and full disk encryption are used and also would make it more secure.
On 2022-10-08 18:08, yurishish@gmail.com wrote:
I wonder if devs have considered to switch to Unified Kernel Images before? Existing tools are able to create such images already but the installation scripts needs to be updated. That would allow to simplify the booting process when Secure Boot and full disk encryption are used and also would make it more secure.
Not sure about the UKIs. There are cool properties on going on that direction, and one that I can see that will force OBS to start providing some kind of small, static and common initrd. In any case the UKIs are a bit of a bigger plan, and IMHO the security model is something that definitively yes, we should work on that. There is more info here: https://uapi-group.org/
On Fri, 28 Oct 2022 08:28:21 +0200 aplanas wrote:
On 2022-10-08 18:08, yurishish@gmail.com wrote:
I wonder if devs have considered to switch to Unified Kernel Images before? Existing tools are able to create such images already but the installation scripts needs to be updated. That would allow to simplify the booting process when Secure Boot and full disk encryption are used and also would make it more secure.
Not sure about the UKIs. There are cool properties on going on that direction, and one that I can see that will force OBS to start providing some kind of small, static and common initrd.
In any case the UKIs are a bit of a bigger plan, and IMHO the security model is something that definitively yes, we should work on that.
There is more info here: https://uapi-group.org/
I was unfamiliar with UKI concept, so "Brave New Trusted Boot World"[0] was posted just in time to explain it :) [0]https://0pointer.net/blog/brave-new-trusted-boot-world.html Pedja
On Fri, Oct 28, 2022 at 12:22:40PM +0200, Predrag Ivanović wrote:
On Fri, 28 Oct 2022 08:28:21 +0200 aplanas wrote:
On 2022-10-08 18:08, yurishish@gmail.com wrote:
I wonder if devs have considered to switch to Unified Kernel Images before? Existing tools are able to create such images already but the installation scripts needs to be updated. That would allow to simplify the booting process when Secure Boot and full disk encryption are used and also would make it more secure.
Not sure about the UKIs. There are cool properties on going on that direction, and one that I can see that will force OBS to start providing some kind of small, static and common initrd.
In any case the UKIs are a bit of a bigger plan, and IMHO the security model is something that definitively yes, we should work on that.
There is more info here: https://uapi-group.org/
I was unfamiliar with UKI concept, so "Brave New Trusted Boot World"[0] was posted just in time to explain it :)
[0]https://0pointer.net/blog/brave-new-trusted-boot-world.html
Pedja
This is very very fresh. There was a big workshop in Berlin, where also SUSE participated. Lets see how this all develops. Ciao, Marcus
participants (4)
-
aplanas -
Marcus Meissner -
Predrag Ivanović -
yurishish@gmail.com