-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure file signing hook is run when initrd is rebuilt #271
Conversation
Initrd is rebuilt when a DKMS module or firmware package is installed as of these commits to mkinitcpio: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/aff81712789b9f2c1664fe1cfb5c1ecdbc5c993b https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/3576b03d29420ccd1913eaa18c7f8950e7de3103
How about also adding an initcpio hook? That way it it almost guaranteed to call sbctl every time when the kernel gets rebuilt. Regardless what triggered it (or if the user itself triggered it and forgot that they have to sign the kernel too, *not me*) Also see #218 |
At that point I'd rather just deprecate the pacman hook and replace with kernel-install or mkinitcpio hooks. |
It doesn't hurt to have it. I kinda like have the "double protection" of two independent hooks making sure that the image is really signed. But yea, the pacman one is then basically completely useless... |
Actually, I realized this would be a bad idea, maybe. We do sign more then just the initrd. Namely things like |
Good point. So we should keep both. For the sake of not breaking anything we should keep it as is with the exception of the usr/lib/initcpio/* target and my other additions. It will attempt to sign twice most of the time but this is preferable to not signing at all. |
It doesn't hurt and sbctl noops already if these files are already signed. I'd say still stick with it is better to have a potentially useless pacman hook in addition to the initcpio one than risking a non bootable system because of unforeseen circumstances.... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Co-authored-by: Morten Linderud <morten@linderud.pw>
Thanks! |
Initrd is rebuilt when a DKMS module or firmware package is installed or updated as of these commits to mkinitcpio: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/aff81712789b9f2c1664fe1cfb5c1ecdbc5c993b https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/3576b03d29420ccd1913eaa18c7f8950e7de3103
Without this change, images created by mkinitcpio will not be automatically signed for secure boot in the events mentioned above.