Bug#996202: systemd - EFI Secure Boot for systemd-boot
Michael Biebl
biebl at debian.org
Thu Nov 18 15:26:47 GMT 2021
Am 18.11.21 um 15:21 schrieb Julian Andres Klode:
> we have recently discussed the matter of systemd-boot in
> an upstream shim review gathering.
Is this discussion public? Can you share it?
> * systemd-boot does not use current ways of communicating with
> shim
>
> * There was some concern over general quality
Has this been passed along to the systemd maintainers?
If so, what's their take on this? If not, could you forward your
findings/concerns to upstream, please?
> * systemd-boot is an additional bootloader, rather than replacing
> an existing one, thus increasing the attack surface.
>
> If people want to experiment with other bootloaders than the
> default one, they can disable secure boot, or load their own
> keys into the machine. We do not consider it valid to have
> a choice of bootloaders.
I guess with this argument, there can never be another bootloader aside
from grub2?
Actually my impression by being vastly more minimalistic then grub2,
systemd-shim would have a smaller attack surface.
Anyway, I don't really have any skin in this game, but I guess with the
response from Julian this MR is dead in the water. It would be pretty
pointless to prepare everything for systemd-shim to be signed when in
the end it will never happen.
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211118/273690bb/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list