Unified Kernel Images support #1855
Unanswered
randomthingsandstuff
asked this question in
Q&A
Replies: 1 comment
-
|
We're also interested in UKI:s and following the development closely! There is some work going on around refactoring the bootloader and system mount code (most notably #1858 and #1837) which could lead to supporting UKI:s in the future, but there is still some way left. If you do try this out we would be very interested in the results! 👍 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am interested in utilizing unified kernel images instead of traditional kernel + initrd.
From what I can see, the two places where an initrd path or existence are currently expected are:
What else would keep unified kernel images out of the mix? And what kind of interest is there in going this direction?
Rationale for use: When we do TPM-based disk keys such as in systemd-cryptsetup, measurements applied to the PCRs include the kernel image. This leaves a big unmeasured hole: initrd. When doing UKI, the initrd being attached to the kernel means that it gets measured and disk wont be decrypted if it gets messed with.
A/B/Recovery image differences causing different PCRs can be fixed up based on the TPM policy in place and some post-upgrade hook.
Beta Was this translation helpful? Give feedback.
All reactions