From 3885f114a8d6d6e3641da83a0b45366c5777e825 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Mon, 23 Jan 2023 13:52:24 +0100 Subject: [PATCH] Do not sign the kernel Malicious boot loader specification entries could be used to make a signed kernel load arbitrary unprotected initrds. Since we do not want this, do not sign the kernel. This way, the only things allowed to boot are our UKI stubs, which do verify the initrd. --- rust/tool/src/install.rs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rust/tool/src/install.rs b/rust/tool/src/install.rs index 33d2c59..4a9eaab 100644 --- a/rust/tool/src/install.rs +++ b/rust/tool/src/install.rs @@ -157,8 +157,8 @@ impl Installer { append_initrd_secrets(initrd_secrets_script, &initrd_location)?; } - // The initrd doesn't need to be signed. The stub has its hash embedded and will refuse - // loading it when the hash mismatches. + // The initrd and kernel don't need to be signed. + // The stub has their hashes embedded and will refuse loading on hash mismatches. // // The initrd and kernel are not forcibly installed because they are not built // reproducibly. Forcibly installing (i.e. overwriting) them is likely to break older @@ -166,7 +166,9 @@ impl Installer { // will not match anymore. install(&initrd_location, &esp_gen_paths.initrd) .context("Failed to install initrd to ESP")?; - install_signed(&self.key_pair, &bootspec.kernel, &esp_gen_paths.kernel) + // Do not sign the kernel. + // Boot loader specification could be used to make a signed kernel load an unprotected initrd. + install(&bootspec.kernel, &esp_gen_paths.kernel) .context("Failed to install kernel to ESP.")?; let lanzaboote_image = pe::lanzaboote_image(