Bug#996202: systemd - EFI Secure Boot for systemd-boot

Julian Andres Klode jak at debian.org
Thu Nov 18 15:58:09 GMT 2021 

On Thu, Nov 18, 2021 at 04:26:47PM +0100, Michael Biebl wrote:
> 
> Am 18.11.21 um 15:21 schrieb Julian Andres Klode:
> > we have recently discussed the matter of systemd-boot in
> > an upstream shim review gathering.
> 
> Is this discussion public? Can you share it?

We unfortunately do not have a written record of it.
> 
> 
> > * systemd-boot does not use current ways of communicating with
> >    shim
> > 
> > * There was some concern over general quality
> 
> Has this been passed along to the systemd maintainers?
> If so, what's their take on this? If not, could you forward your
> findings/concerns to upstream, please?

It's not really my place, that's a discussion for other people
to have, and I don't have all the details.

> > * systemd-boot is an additional bootloader, rather than replacing
> >    an existing one, thus increasing the attack surface.
> > 
> >    If people want to experiment with other bootloaders than the
> >    default one, they can disable secure boot, or load their own
> >    keys into the machine. We do not consider it valid to have
> >    a choice of bootloaders.
> 
> I guess with this argument, there can never be another bootloader aside from
> grub2?

We don't have a precedent for a distro that does not use grub (but a
different boot loader), so can't say for sure what would happen. But
as long as grub is signed by the keys trusted by the shim, there cannot
be non-grub bootloaders trusted by it as well, yes.

Presumably given that all shims are signed by MS in the end it does not
make sense to every sign any shim trusting a non-grub2 bootloader.

One thing I forgot to mention is that of course people can also
self-sign systemd-boot and put their certificate into the MOK instead
of replacing the entire db keys.

> Actually my impression by being vastly more minimalistic then grub2,
> systemd-shim would have a smaller attack surface.

On the one hand yes, but as the shim trusts both, the attack surface
overall widens. You can attack a machine by inserting either a grub or
a shim binary.


> Anyway, I don't really have any skin in this game, but I guess with the
> response from Julian this MR is dead in the water. It would be pretty
> pointless to prepare everything for systemd-shim to be signed when in the
> end it will never happen.

Yeah, sorry.
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211118/85fb1c12/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list