initrd with verified boot Developer

  • Last Update:2021-02-22
  • Version:001
  • Language:en


  • Task:initrd with verified boot Developer
  • Preferred location:Lille (remote possible)
  • Type:Internship or contract
  • Function:Developer
  • Duration:3-6+ Months/Permanent
  • Reference:Offer-2021-Initred-Verified-Boot

Nexedi offers internships for students or future engineers interested in open source software with possible employment at the end of the internship. The content of each internship is adapted to each personality and to the duration of the internship.

These internship topics can also be the first mission when hiring a confirmed developer on a permanent contract who is already heavily involved in the field of open source software.

For this position, we propose to extend the Debian initrd system to have a restricted form of secure boot or verified boot. The purpose of a verified boot is to ensure that the operating system running on a server, PC or smartphone is the one that is supposed to run and not something else (and not for example a rogue system including a rootkit or botnet).

The notion of verified boot has been massively and successfully deployed in consumer computing with ChromeOS. The MIT article "Security of Google Chromebook" provides a quick overview of what a secure and verified (and free) boot system can be.

There are already several projects around secure booting under Debian :

However, none of these solutions provides a simple answer to the question: is what is running on my Debian what is supposed to be running? In other words, who's to say that the ls and sha commands haven't been modified so that ls modifies the filesystem and sha doesn't allow me to calculate the hash of ls? If 'fs-verity' comes close to a solution, it means using a Debian in read-only mode, which is not practical if you want to be able to perform hot incremental updates with apt (and not with an embedded Elbe build system). As for Tripwire, if it is executed outside the initrd, how can you be sure that it has not been altered?

We therefore propose to improve the Debian initrd generator so that, during the boot process, a utility integrated in the initrd performs an analysis of the filesystem and compares the list of files or their hash to a pre-established list of values. In case of non-conformity, a central system is notified.

A first prototype in the form of a UEFI application has been made from Dracut. A first scan utility has been written in Rust, golang and Cython+ in order to compare the advantages of each language in an initrd.

It now remains to deploy this prototype on a significant set of servers in the Rapid.Space cloud and then to extend it according to the results obtained.

This course allows to develop or reinforce strong skills in the field of GNU/Linux operating systems, security and the process of starting an operating system. These skills can then be useful either in the cloud or in the field of embedded computing. A research dimension can also be envisaged around security aspects.

About Nexedi:

Nexedi is (probably) the leading European open source software publisher with a portfolio of open source technologies of more than 15 million lines of code. Nexedi's open source software makes it possible to do without any dependence on GAFAM in the field of enterprise computing.


Liste des principaux logiciels libres de Nexedi


We have a zen office with adjacent appartment for remote workers visiting. Office perks include, rubbber ducks to pose your questions, trips to development sprints, office barbecue, quality sustainable coffee and hand-picked tea from our Japanese and Chinese colleagues plus all kind of French tickets we qualify for (Resto, Cadeaux, Wiismile).


We would be happy to hear from you, so drop us a line (along with your CV) at jobs(at) and we will get in touch with you.

Nexedi SA
147 Rue de Ballon
59110 La Madeleine

Phone+33 629 02 44 25