Bug#836867: ITP: sicherboot -- Installs systemd-boot and kernels to ESP, signed for secure boot

Julian Andres Klode jak at debian.org
Tue Sep 6 17:23:46 BST 2016

Package: wnpp
Severity: wishlist
Owner: Julian Andres Klode <jak at debian.org>

* Package name    : sicherboot
  Version         : 0.1.0
  Upstream Author : Julian Andres Klode <jak at jak-linux.org>
* URL             : https://github.com/julian-klode/sicherboot
* License         : MIT
  Programming Lang: Shell
  Description     : Installs systemd-boot and kernels to ESP, signed for secure boot

 sicherboot manages kernels and systemd-boot on a secure boot
 machine. It installs kernels and systemd-boot, generates signing keys to
 enroll in the machine,  and signs the kernels and the bootloader with it.
 The keys used to sign the UEFI binaries are located in /var/lib. If /var/lib
 is not encrypted, the whole setup is unsafe: One of the files generated is
 rm_PK.auth, which, when written to UEFI, reverts the system to setup mode
 where no checks are performed.
 Currently, the package only supports amd64 architecture. It also has to
 divert the /etc/kernel/postinst.d/dracut file and replace it with its
 own file that calls the diverted one and updates the ESP afterwards, as
 dracut does not support any form of hooks.

Lifting the amd64 restriction requires a bit more work: Triggers
need to be adjusted and the correct EFI binaries need to be found
at run time (for the EFI stub which allows us to merge a kernel
with an initramfs).

Debian Developer - deb.li/jak | jak-linux.org - free software dev

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.

More information about the Pkg-systemd-maintainers mailing list