Integrity verification against external source (!27) · Merge requests · Arch Linux / Mkinitcpio / mkinitcpio-archiso

Tallero Tallero requested to merge tallero/mkinitcpio-archiso:integrity into master Aug 12, 2022

It adds support for comparing airootfs signature against a backup file eventually put on an external device, for example on an integrity dongle.

The signature file can be specified using the sigdevice kernel parameter, using the same syntax as the one for the cryptdevice parameter in the encrypt module, i.e.

sigdevice="UUID=<UUID>:<fs_type>:<file_path>"

This same feature is provided by the encrypt hook in cryptsetup-sigfile (AUR) when the root file system is encrypted because it would be pointless to verify the signature after having tried to unlock a potentially malicious image.

Notes: this branch is based on !25 (closed).

Edited Aug 12, 2022 by Tallero Tallero

Admin message

Integrity verification against external source

Merge request reports