Fedora Stakeholders Discuss Possibility Of Using Pre-Built Initramfs Images

Written by Michael Larabel in Fedora on 28 January 2020 at 03:55 AM EST. 25 Comments
FEDORA
Another alternative to slow initramfs generation could be distributing pre-built initramfs images to users. An additional benefit of that is possibly better security with measured boot capabilities, a matter currently being discussed by Fedora stakeholders.

Fedora from time-to-time has brought up the topic of using pre-built initramfs images and that happened again last week by former Red Hat employee turned Googler Matthew Garrett. He brought up a possible proposal to ship prebuilt initramfs images in the name of better security with measured boot.

As he explained, "Measured boot involves generating cryptographic measurements of boot components and configuration and using that to either control access to a local secret (in the case of sealing secrets to a TPM) or proving to another device (eg, a remote server or a local phone) what was booted. We're shipping most of the infrastructure to do this, but we're still left with a pretty fundamental problem - we need to know what the expected values are in order to know whether something's been tampered with or not."

Due to the initramfs images being generated client-side, the measurements aren't the same across systems. But with pre-built initramfs images having to contain more kernel modules than needed for most users and other special case handling to deal with, it's not a trivial change by any means.

The discussion over this latest attempt at possibly using pre-built initramfs images on Fedora is being discussed via this mailing list thread.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week