Status of initrd in lanzaboote(secureboot)

I enabled secureboot using lanzaboote
As shown on start guide, following is just as expected.

$ sudo sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/nixos-generation-1-specialisation-normal.efi is signed
✓ /boot/EFI/Linux/nixos-generation-1.efi is signed
✗ /boot/EFI/nixos/c2hrmh8j2xrqd641zydkqw7zbjjgjp8a-linux-6.1.74-bzImage.efi is not signed
✗ /boot/EFI/nixos/r2akw86b5k2xdkin5i563f38kqm9i9xc-linux-6.1.74-bzImage.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
$ sudo bootctl status
# ...snip...
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Boot into FW: supported
# ...snip...

But ‘sbctl verify’ doesn’t show anything about *-initrd.efi

$ sudo tree /boot
├── EFI
│   ├── BOOT
│   │   └── BOOTX64.EFI
│   ├── Linux
│   │   ├── nixos-generation-1.efi
│   │   └── nixos-generation-1-specialisation-normal.efi
│   ├── nixos
│   │   ├── c2hrmh8j2xrqd641zydkqw7zbjjgjp8a-linux-6.1.74-bzImage.efi
│   │   ├── j3z3q5xlj5lny4w0a4r7dv7k1wmx18xz-initrd-linux-6.1.74-initrd.efi
│   │   ├── khp65ghjphy0pkj206slmpng9qmv6w71-initrd-linux-6.1.74-initrd.efi
│   │   └── r2akw86b5k2xdkin5i563f38kqm9i9xc-linux-6.1.74-bzImage.efi
│   └── systemd
│       └── systemd-bootx64.efi
└── loader
    └── loader.conf
$ sudo sbctl verify /boot/EFI/nixos/j3z3q5xlj5lny4w0a4r7dv7k1wmx18xz-initrd-linux-6.1.74-initrd.efi
/boot/EFI/nixos/j3z3q5xlj5lny4w0a4r7dv7k1wmx18xz-initrd-linux-6.1.74-initrd.efi is not a valid EFI binary

I deleted all generations manually and cleared /boot before switching to lanzaboote. I am on 23.11 and using flakes.

I am a noob to linux in general, and don’t know much about secure boot. So please help me understand this.:sweat_smile:

  1. Is *-initrd.efi signed/hashed?
  2. Or if not, can it be tampered without my knowledge?
  3. Am I doing something wrong here or misunderstanding something?

I apologise if this is not the right place to ask.
Btw thanks to the devs, it was very easy to setup :grinning:

The initrd is hashed, and its hash is embedded in and checked by the stub (nixos-generation-1.efi), so it cannot be tampered with. It’s just that sbctl cannot verify this because it only supports PE signatures.

1 Like

Thanks I found a related test in the repo