Sep 12 – 14, 2022
Europe/Dublin timezone

Towards Secure Unified Kernel Images for Generic Linux Distributions and Everyone Else

Sep 12, 2022, 5:00 PM
"Meeting 1&2" (Clayton Hotel on Burlington Road)

"Meeting 1&2"

Clayton Hotel on Burlington Road

Service Management and systemd MC Service Management and systemd MC


Lennart Poettering


In this talk we'll have a look at:

  • systemd-stub (the UEFI stub for the Linux kernel shipped with systemd)
  • unified kernels (i.e. kernel images glued together from systemd-stub, the kernel itself, an initrd, and more)
  • systemd-sysext (an extension mechanism for initrd images and OS images)
  • systemd service credentials (a secure way to pass authenticated and encrypted bits of information to services, possibly stored on untrusted media)
  • systemd's Verity support (i.e. setup logic for file system images authenticated by the kernel on IO, via dm-verity)
  • systemd's TPM2 support (i.e. ability to lock credentials or disks to TPM2 devices and software state)
  • systemd's LUKS support (i.e. ability to encrypt disks, possibly locked to TPM2)

And all that with the goal of providing a conceptual framework how to implement simple unified kernel images, that are immutable, yet extensible and parameterizable, are fully authenticated and measured, and that allow binding the root fs encryption or verity to them, in a reasonably manageable way.

The intention is to show a path for generic distributions to make use of UEFI SecureBoot and actually provide useful features for a trusted boot, putting them closer to competing OSes such as Windows, MacOS and ChromeOS, without losing too much of the generic character of the classic Linux distributions.

I agree to abide by the anti-harassment policy Yes

Primary author

Lennart Poettering

Presentation materials

Diamond Sponsor

Platinum Sponsors

Gold Sponsors

Silver Sponsors

Speaker Gift Sponsor

Catchbox Sponsor

Video Recording Sponsor

Livestream Sponsor

T-Shirt Sponsor

Conference Services Provided by