Re: [RFC 2/2] initramfs with digital signature protection

[Dmitry Kasatkin]

On Thu, Apr 11, 2013 at 5:55 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> On Thu, Apr 11, 2013 at 11:06:55AM +0300, Dmitry Kasatkin wrote:
>> Hello,
>>
>> I respond to the original question of this thread.
>> signed initramfs allows not only to add keys to the keyrings but perform
>> other initialization,
>> which requires user-space.
>> Keys can be embedded into the kernel. This is fine.
>
> What other initialization user space need to do where we can't trust
> root (even in secureboot mode).
>
> IOW, if keys can be embedded in kernel (or read from UEFI db and MOK db),
> what other operation requires initramfs to be signed. It could very well
> be unsigned initramfs like today.
>

It looks like you do not hear me.
I said that any user space initialization can be done from signed user space.
For example IMA policy can be initialized.

I see that you see your particular case and in that case you do not
require that.
That is fine. That is your case....

 - Dmitry

> Thanks
> Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/