min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not sign the kernel 

Malicious boot loader specification entries could be used to make a
signed kernel load arbitrary unprotected initrds. Since we do not want
this, do not sign the kernel. This way, the only things allowed to boot
are our UKI stubs, which do verify the initrd.
This commit is contained in:
Alois Wohlschlager 2023-01-23 13:52:24 +01:00
parent 7387c6708d
commit 3885f114a8
No known key found for this signature in database
GPG Key ID: E0F59EA5E5216914
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
rust/tool/src/install.rs
View File

@ -157,8 +157,8 @@ impl Installer {
append_initrd_secrets(initrd_secrets_script, &initrd_location)?;
}
// The initrd doesn't need to be signed. The stub has its hash embedded and will refuse
// loading it when the hash mismatches.
// The initrd and kernel don't need to be signed.
// The stub has their hashes embedded and will refuse loading on hash mismatches.
//
// The initrd and kernel are not forcibly installed because they are not built
// reproducibly. Forcibly installing (i.e. overwriting) them is likely to break older
@ -166,7 +166,9 @@ impl Installer {
// will not match anymore.
install(&initrd_location, &esp_gen_paths.initrd)
.context("Failed to install initrd to ESP")?;
install_signed(&self.key_pair, &bootspec.kernel, &esp_gen_paths.kernel)
// Do not sign the kernel.
// Boot loader specification could be used to make a signed kernel load an unprotected initrd.
install(&bootspec.kernel, &esp_gen_paths.kernel)
.context("Failed to install kernel to ESP.")?;
let lanzaboote_image = pe::lanzaboote_image(