Brussels / 3 & 4 February 2024


UKIs, TPMs, immutable initrds and full disk encryption – What Distributions Should Keep in Mind when Hopping onto the System Integrity Train

Traditional Linux support for an integrity protected boot process has been relatively weak. Beyond the minimum effort to provide basic SecureBoot compatibility most distributions haven't (yet) delivered tangible benefits to users. In this talk I'd like to give an overview on how distributions can reasonably jump on the system integrity train, that makes the boot process and OS somewhat proof to offline attacks, and allows them to catch up with similar functionality that other commercial OSes have already been providing for a while.

This talk will be from a systemd perspective, and focus on the various OS integrity components we now provide, and how to put them together, with a focus on keeping things nicely generic, democatric, and modular without compromising security.

Specifically, we'll touch immutable initrds, UKIs, full disk encryption policies, TPM, and Measured Boot vs. Secure Boot, and more,

→ systemd Homepage


Lennart Poettering