New comment by andkem on void-packages repository https://github.com/void-linux/void-packages/issues/12495#issuecomment-507325213 Comment: > On June 20, 2019 10:38:25 PM UTC, andkem ***@***.***> wrote: > they don't, as you point out, sign the initrd or provide tools for > The sbsigntools couldn't sign the initrd itself, it can sign the efi executable (EFIStub enabled kerbel, refind, grub) only. > I think it should be possible to do a setup where you verify everything using EFI, but I haven't tried it so I don't know how difficult it is. I was merely pointing out that parts for doing all the signing is missing. > If I understand other comments correctly, grub signs kernel and initrd with gpg. > actually generating keys. Grub doesn't sign the kernel nor the initrd, that is done using the normal gpg2 util. Grub only verifies the signature using the key compiled into it, but I guess that is what you meant. > The efi signing-key generation is done by openssl and efitools, IIRC, I didn't put the key generator script into the installation because I weren't sure what should be done with the manufacture's key that's existed in EFI firmware? Should we concatenate that key with our newly generated key or we should simply throw it away or we should give users a choice? > I would suggest that the user is asked if he wishes to create a backup of the built-in keys. That way they could be restored later. We will likely not be able to automate the installation of new keys in the motherboard. We could print a message giving guidance as to which files should be imported. > I don't know about the key generation for GRUB, is it a gpg key? What is our expectation for this? Or we should skip signing if there're no gpg key? The GPG keys is generated like one normally does with GPG. I would suggest that we ask the user to generate a key, possibly printing the command he needs to execute and then prompts for entering the ID of the key the user wishes to use. It could be as simple as executing gpg2 --full-generate-key and following the instructions, I'd suggest a 4096 RSA key. Without actually signing using a GPG key, the process is pretty pointless. And sorry for the tardy reply, I was away and didn't really have access to my computer.