Morten Linderud
Morten Linderud
So this is pretty much a first step. This can create two idential images if we build them twice in a short timeframe. The next goal would be to take...
For reproducing fedora installs I have submitted an issue at authselect as the files are not deterministic. https://github.com/authselect/authselect/issues/319
We could also issue a warning if we find `/var` mounted when using the `--reproducible` switch? The issue here (i think) is balancing this so we don't end up having...
I can carve it out of this PR? We could also say that `--zero-mtime` is implied with `--reproducible`
>Edit: I realised that TPM support in the roadmap probably means that secrets will be sealed inside the TPM. Password protected keys are still interesting though. I was about to...
I wrote a very bare bones TPM UEFI signing thing last year as a quick demonstration. https://github.com/Foxboron/go-uefi/blob/morten/tpm/cmd/gotpm/main.go The main issue on my end is to get the time to implement...
>I understand perfectly. Secure boot protects against unsigned kernel drivers, but protecting the bootloader after boot is probably not part of the threat model. This is partially a misconception, actually....
Use the Unified Kernel Image support in either `mkinitcpio` or `dracut` instead of `sbctl` I think. I'm not sure if I'll implement support for multiple initrds beyond the current switches.
You need to re-enable secure boot after enrolling it with setup mode.