Bug#996202: systemd - EFI Secure Boot for systemd-boot
Michael Biebl
biebl at debian.org
Tue Oct 12 12:10:37 BST 2021
Hi Bastian
Am 12.10.21 um 11:22 schrieb Bastian Blank:
> Package: systemd
> Version: 247.9-4
> Severity: wishlist
>
> Hi folks
>
> systemd already includes it's own small and EFI based bootloader. To
> make it more widely usable, it would be nice to have it secure boot
> signed. Signing for secure boot is supported in Debian via a round trip
> inside the archive.
>
> I would implement that something in the line of:
>
> - Split off the existing EFI binary into a new package
> "systemd-boot-unsigned".
> - Create the template package "systemd-boot-$arch-signed-template". It
> contains a list of files to be signed and a source package template,
> which gets signatures injected into and uploaded by the signing
> process.
> - The template creates a source and binary package
> "systemd-boot-$arch-signed", shipping the signed EFI binary.
> - Add a "systemd-boot" package that contains "bootctl" and a dependency
> on "systemd-boot-$arch-signed".
Would all those binary packages be built from src:systemd?
I don't have any experience with Secure Boot (especially in Debian's
context), so would need help with that.
Would you mind prepping a MR?
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211012/b59d4e1a/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list