[transpute]

If you're interested in this topic, the 5th "System Boot and Security" LPC microconference" is on Sep 18, https://lpc.events/event/18/sessions/201/#20240918

  Developing trustworthy Linux-based systems in an open-source way
  Common git repo for hosting Boot-firmware
  Accelerating Linux Kernel Boot-Up for Large Multi-Core Systems
  Leveraging and managing SBAT revocation mechanism on distribution level
  Using U-boot as a UEFI payload
  Measured Boot, Secure Attestation & co, with systemd
  Secure Launch - DRTM solution on Arm platforms
  no more bootloader: please use the kernel instead
  OF != UEFI

[ruthmarx]

> no more bootloader: please use the kernel instead

This had a post on HN before and I didn't find the arguments terrible compelling. I'm curious what security advantages they might be able to say exist though.

[NekkoDroid]

IIRC from a presentation the main point behind NMBL is to not reimplement an entire OS in the bootloader like GRUB. Instead you should use the kernel with an Initrd instead and should kexec if you wanna boot into a different kernel. That way you only really need to take care of the existing kernel and userspace security.

The problem with that is that it starts to muddy the TPM PCRs (read: makes the PCRs that should be predictable not predictable) if the kernel gets kexec'd and it just makes the boot processes just needlessly more complicated. Not to mention when the kernel/initrd fails to boot you are kinda SOL since you can't really do any meaningful boot count logic if it fails as it could even be a faulty kernel and not even reach the initrd.

I also haven't been able to be convinced that NMBL is better than a simple EFI bootloader that chainloads a kernel.

[ruthmarx]

The last two paragraphs are my thoughts exactly. NMBL acts like it's solving a problem but I just see it creating more.