Unified Kernel Images support #1855
Unanswered
randomthingsandstuff
asked this question in
Q&A
Replies: 1 comment
-
|
We're also interested in UKI:s and following the development closely! There is some work going on around refactoring the bootloader and system mount code (most notably #1858 and #1837) which could lead to supporting UKI:s in the future, but there is still some way left. If you do try this out we would be very interested in the results! 👍 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I am interested in utilizing unified kernel images instead of traditional kernel + initrd.
From what I can see, the two places where an initrd path or existence are currently expected are:
What else would keep unified kernel images out of the mix? And what kind of interest is there in going this direction?
Rationale for use: When we do TPM-based disk keys such as in systemd-cryptsetup, measurements applied to the PCRs include the kernel image. This leaves a big unmeasured hole: initrd. When doing UKI, the initrd being attached to the kernel means that it gets measured and disk wont be decrypted if it gets messed with.
A/B/Recovery image differences causing different PCRs can be fixed up based on the TPM policy in place and some post-upgrade hook.
Beta Was this translation helpful? Give feedback.
All reactions