-
I have been looking at measuring the boot binaries from a bootc container image, in order to pre-calculate TPM PCR9 expected values, may be even PCR8 (but that one is tricker because of variable expansion in grub..). i.e. if We look at the binary bios measurement log we find that the following files were measured by grub:
I hoped we could extract those files from a bootc container image. When I mounted an image, I couldn't find any files in the boot directory. By looking at https://github.com/containers/bootc/blob/main/lib/src/bootloader.rs it seems like this is handled by https://github.com/coreos/bootupd thanks @cgwalters for writing this #491 in addition. Where can I find technical details about how does bootupd assemble the boot and EFI partitions? (I'll start by looking a little bit more at the project). For now... I am creating a small experiment, by converting the container to a qcow2 image, and using guestmount to extract the contents. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
One big help here is that bootupd emphasizes fully static grub config files. However, I am sure there are likely to be some things that may need changing here, because e.g.
That filename is in the general case dynamic, derived from what the boot ordering is. Very specifically, if one chooses the previous bootloader entry, then this will appear as e.g. ostree-2 and change the measurement. In some cases that may be desirable, i.e. it's a kind of rollback protection.
Also the contents of this one are by default intentionally specific to the installed system, the bootuuid is randomized by default.
This checksum includes the kernel/initrd state so we can pre-calculate it, but probably ultimately we should get away from having checksums of things in /boot. |
Beta Was this translation helpful? Give feedback.
-
As for the multiple options and roll-backs, I guess we can calculate a set of valid combinations (having booted from first, or rollback option...) |
Beta Was this translation helpful? Give feedback.
One big help here is that bootupd emphasizes fully static grub config files.
However, I am sure there are likely to be some things that may need changing here, because e.g.
That filename is in the general case dynamic, derived from what the boot ordering is. Very specifically, if one chooses the previous bootloader entry, then this will appear as e.g. ostree-2 and change the measurement. In some cases that may be desirable, i.e. it's a kind of rollback protection.
Also the contents of this one are by default intentionally specific to the installed system, the bootuuid is randomized by default.