Closed Joseph-DiGiovanni closed 6 months ago
How about also adding an initcpio hook? That way it it almost guaranteed to call sbctl every time when the kernel gets rebuilt. Regardless what triggered it (or if the user itself triggered it and forgot that they have to sign the kernel too, *not me*)
Also see #218
At that point I'd rather just deprecate the pacman hook and replace with kernel-install or mkinitcpio hooks.
It doesn't hurt to have it. I kinda like have the "double protection" of two independent hooks making sure that the image is really signed. But yea, the pacman one is then basically completely useless...
I agree the mkinitcpio post hook is the way to go. However, I think the best solution is to just keep the sign-all command from the pacman hook rather than the hook making assumptions of what files should be signed.
This should close #263 and #218.
Actually, I realized this would be a bad idea, maybe.
We do sign more then just the initrd. Namely things like sd-boot
and fwudpmgr
. And I'm not sure if signing those as part of a post-hook in mkinitcpio makes sense?
Good point. So we should keep both. For the sake of not breaking anything we should keep it as is with the exception of the usr/lib/initcpio/* target and my other additions. It will attempt to sign twice most of the time but this is preferable to not signing at all.
And I'm not sure if signing those as part of a post-hook in mkinitcpio makes sense?
It doesn't hurt and sbctl noops already if these files are already signed.
I'd say still stick with it is better to have a potentially useless pacman hook in addition to the initcpio one than risking a non bootable system because of unforeseen circumstances....
Thanks!
Initrd is rebuilt when a DKMS module or firmware package is installed or updated as of these commits to mkinitcpio: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/aff81712789b9f2c1664fe1cfb5c1ecdbc5c993b https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/3576b03d29420ccd1913eaa18c7f8950e7de3103
Without this change, images created by mkinitcpio will not be automatically signed for secure boot in the events mentioned above.