| 21 Jun 2021 |
 Foxboron | initramfs isn't actually protected by secure boot. But if you make a unified EFI image with initramfs+kernel it is. Hmmmm. Ahh this would be a cool feature | 08:43:33 |
 Linux Hackerman | Oh right, yeah, just saw that in https://github.com/NixOS/nixpkgs/pull/53901/files#diff-14341d580318ebe4f2ce22e4fc94c02f6a56229cdc7ae939728628a47b9e6b39R144-R149 :) | 08:44:00 |
| Foxboron | Make a seperate initramfs with the key in kernel/x86/key/somecert.cert (this is what microcode does for early boot loading) which you can concat with microcode + initramfs. | 08:44:49 |
| Foxboron | This is me theorizing what alternative key loading would look like fwiw | 08:45:32 |
|  fgaz joined the room. | 10:05:45 |
 baloo | 1486 out of 1486 (100.00%) paths in the minimal installation image are reproducible! πππ | 12:48:25 |
| baloo | In reply to @foxboron:archlinux.org
initramfs isn't actually protected by secure boot. But if you make a unified EFI image with initramfs+kernel it is. Hmmmm. Ahh this would be a cool feature That is pretty easy to do actually.
https://github.com/baloo/reproducibility-lab/tree/main/pkgs/uefi-bundle
I havenβt worked on injecting the key from the secureboot but that does not sound impossible. | 13:32:28 |
| baloo | Although if I might be pessimistic a bit. Not too sure all too many people have a practical use case for it | 13:33:46 |
