Bug#996202: systemd - EFI Secure Boot for systemd-boot

Bastian Blank waldi at debian.org
Tue Oct 12 12:14:53 BST 2021


On Tue, Oct 12, 2021 at 01:10:37PM +0200, Michael Biebl wrote:
> > I would implement that something in the line of:
> > 
> > - Split off the existing EFI binary into a new package
> >    "systemd-boot-unsigned".
> > - Create the template package "systemd-boot-$arch-signed-template".  It
> >    contains a list of files to be signed and a source package template,
> >    which gets signatures injected into and uploaded by the signing
> >    process.
> > - The template creates a source and binary package
> >    "systemd-boot-$arch-signed", shipping the signed EFI binary.
> > - Add a "systemd-boot" package that contains "bootctl" and a dependency
> >    on "systemd-boot-$arch-signed".
> 
> Would all those binary packages be built from src:systemd?

>From the perspective of the maintainer: yes.  Everything comes out of
src:systemd.

In perspective of the archive: no.  Secure boot in Debian is done in two
steps.

src:systemd will provide:
- systemd-boot
- systemd-boot-unsigned
- systemd-boot-$arch-signed-template

src:systemd-boot-$arch-signed is created internally and will provide:
- systemd-boot-$arch-signed

> I don't have any experience with Secure Boot (especially in Debian's
> context), so would need help with that.
> Would you mind prepping a MR?

Sure, can do.

Regards,
Bastian

-- 
Those who hate and fight must stop themselves -- otherwise it is not stopped.
		-- Spock, "Day of the Dove", stardate unknown



More information about the Pkg-systemd-maintainers mailing list