Has Silverblue achieved Verified Boot?


This is a great security feature in Android. It sounds an awful lot like Silverblue’s rpm-ostree, and in combination of Secure Boot.

At this point, what would be the difference between Verified Boot and Secure Boot + rpm-ostree? Is Verified Boot something that Silverblue is trying to achieve?

Mac OSX has something similar: About Startup Security Utility on a Mac with the Apple T2 Security Chip - Apple Support
and so does Windows with Win10 S mode: https://www.microsoft.com/en-us/windows/s-mode

Is there anything that the boot chain is missing in Silverblue at this point?

I believe Silverblue supports UEFI secure boot, but you may have trouble signing out of tree drivers and/or modules to work with it.

As far as I know, there is no easy way to get something similar to Android’s Verified Boot on Silverblue right now. This a work in progress on several fronts (rpm-ostree with IMA/fsverity, Keylime, etc.) but note that due to the inherent freedom that Silverblue gives to administrator users on the system, this makes it much more difficult to get to the same level of security guarantees without scarifying freedoms like Android does.