Bug#836867: ITP: sicherboot -- Installs systemd-boot and kernels to ESP, signed for secure boot
Julian Andres Klode
jak at debian.org
Tue Sep 6 17:23:46 BST 2016
Package: wnpp
Severity: wishlist
Owner: Julian Andres Klode <jak at debian.org>
* Package name : sicherboot
Version : 0.1.0
Upstream Author : Julian Andres Klode <jak at jak-linux.org>
* URL : https://github.com/julian-klode/sicherboot
* License : MIT
Programming Lang: Shell
Description : Installs systemd-boot and kernels to ESP, signed for secure boot
sicherboot manages kernels and systemd-boot on a secure boot
machine. It installs kernels and systemd-boot, generates signing keys to
enroll in the machine, and signs the kernels and the bootloader with it.
.
The keys used to sign the UEFI binaries are located in /var/lib. If /var/lib
is not encrypted, the whole setup is unsafe: One of the files generated is
rm_PK.auth, which, when written to UEFI, reverts the system to setup mode
where no checks are performed.
.
Currently, the package only supports amd64 architecture. It also has to
divert the /etc/kernel/postinst.d/dracut file and replace it with its
own file that calls the diverted one and updates the ESP afterwards, as
dracut does not support any form of hooks.
Lifting the amd64 restriction requires a bit more work: Triggers
need to be adjusted and the correct EFI binaries need to be found
at run time (for the EFI stub which allows us to merge a kernel
with an initramfs).
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
More information about the Pkg-systemd-maintainers
mailing list