Allow an entry to suppress initrd= options #32735
Conversation
github-actions
bot
added
sd-boot/sd-stub/bootctl
please-review
|
Important An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
MaxHearnden
force-pushed
the
initrd-suppress
branch
from
893bca0 to
cc74b03
Compare
Currently a kernel initrd can come from the following places: - The LOAD_FILE2 protocol where the initrd is measured into PCR 9 - The initrd= where the initrd is not measured - The linux boot protocols which systemd-boot doesn't use - A builtin initrd which is measured as part of the kernel - An initrdless setup where the behaivour comes from both the kernel and cmdline, both of which are measured Out of these, the initrd= method is the only one which isn't measured. By suppressing the initrd= option, we can get a fully measured boot. This only suppresses the automatic addition of the initrd= option by systemd-boot, however this allows for verification that the initrd was not loaded through initrd= which is not currently possible.
MaxHearnden
force-pushed
the
initrd-suppress
branch
from
cc74b03 to
8991e40
Compare
|
Hmm, I am not sure I follow? If this is just a new stanza for boot loader type #1 files (i.e. .conf), then how exactly is this beneficial? i mean, you might as well just drop the "initrd" stanza you might have in the same file, so it seems entirely redundant? Not grokking this? it might make sense to teach the kernel a compile time option which allows turning off the initrd= interpretation, and that would lock things down nicely, but I don't see how a boot loader spec type 1 entry would help? |
poettering
added
needs-discussion 🤔
needs-reporter-feedback ❓
|
A fix for this in the kernel has been merged into master and will be in 6.13 (fixed in c004703ed7ae6be30ee7dcb37801bda4c6a24c3b and merged in 18a411cc5d5ce57d483718b1341a3ca69079bee2) |
github-actions
bot
removed
needs-discussion 🤔
needs-reporter-feedback ❓
Currently a kernel initrd can come from the following places:
Out of these, the initrd= method is the only one which isn't measured. By suppressing the initrd= option, we can get a fully measured boot.
This only suppresses the automatic addition of the initrd= option by systemd-boot, however this allows for verification that the initrd was not loaded through initrd= which is not currently possible.
I am not sure that
initrd-arg: yes/initrd-arg: nois the best syntax and would be open to suggestions.