Let me know if I have understood.
I install openbsd and I use signify to check if the kernel from the iso is trusted. Then during the installation is create a new kernel with its digest.
Then at every boot the kernel create a sha256 digest for the next boot and every boot check the digest created before. If something was been altered I see it in the console during the boot.
The digest of the running kernel is in /var/db/kernel.SHA256
and the digest of the next boot where is ?
An other question: can an attacker create a new relinked kernel with its digest ?
|