There’s something I don’t understand about the initrd extensions idea:
Now what’s particularly nice about them in this context we are talking about here is that the extension images may carry dm-verity authentication data, and PKCS#7 signatures
Who is creating these signatures? Isn’t the whole point that the vendor doesn’t have to sign every possible initrd configuration (since that’s essentially impossible)?
EDIT: Oh I think I see. The extensions are host agnostic things signed by vendors, and host specific details are provided by the “parameters” thing, which is TPM encrypted. So you just install the extensions you need and configure encrypted parameters. Still, this does mean you can’t make arbitrary initrd functionality; you can only use the extensions blessed by the vendor.
I am all for all the suggestions proposed there. What needs to happen first to get NixOS ready for this? Proper Secure Boot support I suppose. Then what?