Ideally signing and enrolling in the UEFI the key to a signed Unified Kernel Ima... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

TacticalCoder on Aug 25, 2023 | parent | context | favorite | on: Stable Linux mainline builds for Ubuntu

Ideally signing and enrolling in the UEFI the key to a signed Unified Kernel Image (UKI) makes more sense: only having SecureBoot verifying the kernel is okay'ish (and it does work: I tried modifying a single bit from my kernel and the UEFI refused to boot it) but it's not that great if the attacker can still modify the initrd etc.

rubicks on Aug 25, 2023 [–]

I thought "unified image" solved this?

https://wiki.archlinux.org/title/Unified_kernel_image#Prepar...

DHowett on Aug 25, 2023 | [–]

Indeed, that is what the parent is referring to when they say this:

> Ideally signing and enrolling in the UEFI the key to a signed Unified Kernel Image (UKI) makes more sense

(It's much more useful to have a link to it, so thank you!)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact