Bug#826045: systemd: New kernels are not booted

[Julian Andres Klode]

On Mon, Dec 05, 2016 at 02:14:15PM +0100, Andre Heider wrote:
> Hi,
> 
> I just ran into this again and had a look around:
> The systemd tool kernel-install(8) is already installed and appears to
> be working just fine.
> 
> It's "add" mode copies debian's kernel/initrd to the esp and adds a
> boot loader entry, which boots just fine.
> It's "remove" mode cleans up the copied/created files from the "add" mode.
> 
> It appears there're just a few trivial /etc/kernel/?.d wrapper scripts missing?

Yes. Well, not missing, but rather left out by purpose. systemd
can't just start installing bootloader _integration_, that would
be weird.

I wrote sicherboot, which is a nice integration with systemd-boot,
but does not allow using the existing kernel images - it combines
the kernel and the initramfs into one image which it installs into
the ESP so UEFI can verify both parts (somewhat useful to reduce
the chance someone tampered with your device if you are running
full disk encryption). That said, it also works without secure
boot - just don't do the enrollment steps.

I wish we could combine things in a way to verify both signatures
- the original kernel one, and a combined one. That would be nice. Or
well, just verification of the initramfs.

kernel-install also is a fairly primitive tool that is not very
flexible and only supports very simple use cases (sicherboot as
well for now, but open for further features - like multiple ESPs
for RAID-1 mirror booting).

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.