Bug#996202: systemd - EFI Secure Boot for systemd-boot

Julian Andres Klode jak at debian.org
Thu Nov 18 14:21:20 GMT 2021 

Hi Bastian,

we have recently discussed the matter of systemd-boot in
an upstream shim review gathering.

We reject a signing of systemd-boot as

* systemd-boot does not use current ways of communicating with
  shim

* There was some concern over general quality

* systemd-boot is an additional bootloader, rather than replacing
  an existing one, thus increasing the attack surface.

  If people want to experiment with other bootloaders than the
  default one, they can disable secure boot, or load their own
  keys into the machine. We do not consider it valid to have
  a choice of bootloaders.

I want to note that the current shim has been signed with the
understanding that it will trust grub, kernels, and fwupd. A
signing of systemd-boot might be considered reasons for revoking
the existing shim, and will certainly result in new shims not
getting signed.

On Thu, Nov 18, 2021 at 02:17:22PM +0100, Bastian Blank wrote:
> Hi Julian
> 
> Given that I got no reply from you after four weeks, I consider that
> issue not existing.
> 
> Bastian
> 
> On Wed, Oct 20, 2021 at 11:12:23AM +0200, Bastian Blank wrote:
> > On Tue, Oct 12, 2021 at 03:31:24PM +0200, Bastian Blank wrote:
> > > On Tue, Oct 12, 2021 at 02:52:57PM +0200, Julian Andres Klode wrote:
> > > > On Tue, Oct 12, 2021 at 02:41:01PM +0200, Bastian Blank wrote:
> > > > > Yes.  This is just for signing right now.
> > > > I wouldn't do that. You then end up breaking users when introducing
> > > > integration; or need yet another package to host the integration in.
> > > 
> > > Hu?  It does not break it any more then the current state.  The systemd
> > > package already ships an EFI binary without any integration.
> > > 
> > > > shim 15.4 requires SBAT sections on binaries it loads.
> > > > So systemd-boot does not hook into shim at all IIRC, so it's not
> > > > super useful - you can't load Debian kernels with it, only stuff
> > > > in UEFI db (other shims, basically).
> > > 
> > > > If it gets signed to be loadable by shim, it would have to implement
> > > > verification of loaded binaries using the shim, and provide an SBAT
> > > > section so shim even bothers loading it.
> > > 
> > > systemd-boot can add proper SBAT as far as I see.  Maybe not in the
> > > version currently on Debian unstable.  Also I see some calls into
> > > SHIM_LOCK.  So there is both SBAT support and support for the shim
> > > verification protocol.
> 
> -- 
> There's another way to survive.  Mutual trust -- and help.
> 		-- Kirk, "Day of the Dove", stardate unknown

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

More information about the Pkg-systemd-maintainers mailing list