On Thu, Apr 11, 2013 at 5:55 PM, Vivek Goyal <vgo...@redhat.com> wrote: > On Thu, Apr 11, 2013 at 11:06:55AM +0300, Dmitry Kasatkin wrote: >> Hello, >> >> I respond to the original question of this thread. >> signed initramfs allows not only to add keys to the keyrings but perform >> other initialization, >> which requires user-space. >> Keys can be embedded into the kernel. This is fine. > > What other initialization user space need to do where we can't trust > root (even in secureboot mode). > > IOW, if keys can be embedded in kernel (or read from UEFI db and MOK db), > what other operation requires initramfs to be signed. It could very well > be unsigned initramfs like today. >
It looks like you do not hear me. I said that any user space initialization can be done from signed user space. For example IMA policy can be initialized. I see that you see your particular case and in that case you do not require that. That is fine. That is your case.... - Dmitry > Thanks > Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
