This critically depends on the initrd being non-manipulated.
Of course, you cannot use the initrd to verify a signature
on the initrd securely ...
Regards,
Arno
On Sat, Jun 20, 2020 at 19:26:32 CEST, JT Morée wrote:
> I'm working through a setup right now and documenting at
> https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linux/kubuntu-20-04
>
> I am using the smartcard to unlock root during the boot process. this is
> done by the kernel and initrd using out of the box tools and processes.
>
> in this setup /boot is in the clear and I have some ideas for signing the
> kernel+initrd with the smart card, then verifying on boot. will update
> the link if I get that working.
>
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt