From: voidlinux-github@inbox.vuxu.org
To: ml@inbox.vuxu.org
Subject: Re: EFI Secure Boot Build Support
Date: Fri, 21 Jun 2019 00:39:33 +0200 [thread overview]
Message-ID: <20190620223933.1-0RdWMyWlJgBTJZURxlELpIKU6cC3KXw0MWqFzcv2I@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-12495@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1336 bytes --]
New comment by andkem on void-packages repository
https://github.com/void-linux/void-packages/issues/12495#issuecomment-504224383
Comment:
@congdanhqx, I looked at those recipes and the hooks that were in place, but didn't consider them a complete secure boot solution since they don't, as you point out, sign the initrd or provide tools for actually generating keys. There was also some block of the hook that had a comment stating it was untested, iirc. Sadly I'm away from my computer for the week-end so I cannot check.
For a secure boot solution that isn't trivial (well almost) to circumvent we need both kernel and initrd to be signed. We also need the root file system to either be signed and read only, ex. using dm-verity, or encrypted. I'd suggest that telling people to encrypt should be enough, since a read only root won't really work with Void the way it is currently structured.
The main point to make for using Grub instead of a pure EFI boot is that we could support having the boot partition encrypted. Even with signed binaries, there are attacks that can be mitigated by having it encrypted. An example could be injecting data into the partition that you are tricked to sign.
If you'd like to start working on this, congdanhqx, I don't mind. I'd also be glad to cooperate, review and discuss if you want.
next prev parent reply other threads:[~2019-06-20 22:39 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-16 18:33 [ISSUE] " voidlinux-github
2019-06-16 18:36 ` voidlinux-github
2019-06-16 19:34 ` voidlinux-github
2019-06-17 18:24 ` voidlinux-github
2019-06-17 18:39 ` voidlinux-github
2019-06-18 18:55 ` voidlinux-github
2019-06-18 18:56 ` voidlinux-github
2019-06-18 18:57 ` voidlinux-github
2019-06-20 11:17 ` voidlinux-github
2019-06-20 11:20 ` voidlinux-github
2019-06-20 11:22 ` voidlinux-github
2019-06-20 11:26 ` voidlinux-github
2019-06-20 22:38 ` voidlinux-github
2019-06-20 22:39 ` voidlinux-github [this message]
2019-06-20 22:40 ` voidlinux-github
2019-06-21 5:29 ` voidlinux-github
2019-07-01 15:58 ` voidlinux-github
2019-10-03 22:10 ` voidlinux-github
2020-07-27 14:20 ` unixandria-xda
2020-07-27 14:57 ` sgn
2020-07-28 5:50 ` ericonr
2020-07-28 6:02 ` sgn
2022-04-15 2:12 ` github-actions
2022-04-29 2:13 ` [ISSUE] [CLOSED] " github-actions
2022-07-28 4:47 ` dm17
2023-01-09 6:27 ` thegarlynch
2024-02-11 15:08 ` Izooc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620223933.1-0RdWMyWlJgBTJZURxlELpIKU6cC3KXw0MWqFzcv2I@z \
--to=voidlinux-github@inbox.vuxu.org \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).