Bug#996202: systemd - EFI Secure Boot for systemd-boot
Bastian Blank
waldi at debian.org
Tue Oct 12 12:14:53 BST 2021
On Tue, Oct 12, 2021 at 01:10:37PM +0200, Michael Biebl wrote:
> > I would implement that something in the line of:
> >
> > - Split off the existing EFI binary into a new package
> > "systemd-boot-unsigned".
> > - Create the template package "systemd-boot-$arch-signed-template". It
> > contains a list of files to be signed and a source package template,
> > which gets signatures injected into and uploaded by the signing
> > process.
> > - The template creates a source and binary package
> > "systemd-boot-$arch-signed", shipping the signed EFI binary.
> > - Add a "systemd-boot" package that contains "bootctl" and a dependency
> > on "systemd-boot-$arch-signed".
>
> Would all those binary packages be built from src:systemd?
>From the perspective of the maintainer: yes. Everything comes out of
src:systemd.
In perspective of the archive: no. Secure boot in Debian is done in two
steps.
src:systemd will provide:
- systemd-boot
- systemd-boot-unsigned
- systemd-boot-$arch-signed-template
src:systemd-boot-$arch-signed is created internally and will provide:
- systemd-boot-$arch-signed
> I don't have any experience with Secure Boot (especially in Debian's
> context), so would need help with that.
> Would you mind prepping a MR?
Sure, can do.
Regards,
Bastian
--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
More information about the Pkg-systemd-maintainers
mailing list