[PATCH 0/3] [V4] Add support for GPG signature enforcement on booted

Timothy Pearson tpearson at raptorengineering.com
Thu Aug 18 04:26:50 AEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2016 04:40 AM, Nayna wrote:
> Thanks Timothy for quick response !!
> 
> Another basic question, mainly to understand..
> So, I understand that kernel/initramfs integrity is important, and
> signing is required, but what drives the need for encrypted
> kernel/initramfs.
> 
> What confidential information is possible via vmlinux ?

This feature is mainly intended for large scale enterprise deployments
where the root filesystem is not local to the node, and may in fact be
located over an insecure link or be susceptible to eavesdropping.  In
such situations, sensitive material may be required to set up secured
access to the root filesystem, for example:
 * Kerberos machine keys
 * IPSec pre-shared secrets

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJXtKxkAAoJEK+E3vEXDOFbg08H/2dmqE0Q/N5iUKlBgQEuCoyn
Rh/uZj8uYQ+XS5o1besuoVK4ujounudBWhgBHzZ/Cr5uh5MAcJ9BS2YAciLFZm/0
zbDixcp/HexEGNpozOHb29XwcNctJ5eCBz4uXfnUmR/qa5yOapiH33uYYTMsxFs/
5C6vLa5tUf02O24HDd9Sm4ufkWn8iLhgvM3cyTsWhRZzYmfr7h3m3cpu3MIyPa7g
qV2/xnhUTsyFVqofAl2mtFogaU+y+GGi5hc0BQ1HBNxXnzz2oIKY8LFwAHIDs9Hf
bjLqK0K3YsxgZ7Ynjn36xrd+pHWVvM3qL22qXvQ32wnHYblnCjN10eK2co2lp58=
=6Ysi
-----END PGP SIGNATURE-----


More information about the Petitboot mailing list