julian-klode/sicherboot

Does sicherboot sign the initrd?

vvug opened this issue · 1 comments

vvug commented

Hi,

One this is not very clear to me: does sicherboot sign the initrd? If this is the case this would be a big advantage over the "classic" setup where the initrd is not signed, as it allows an unencrypted /boot partition to hold only signed data. This data can then be used to unlock the root partition, possibly remotely, and by being signed we can be sure it has not been tampered with.

Yes, the kernel and initrd are combined in a single image which is then signed.