Bug#996202: systemd - EFI Secure Boot for systemd-boot

Michael Biebl email at michaelbiebl.de
Tue Oct 12 12:29:49 BST 2021


Am 12.10.21 um 11:22 schrieb Bastian Blank:
> Package: systemd
> Version: 247.9-4
> Severity: wishlist
> 
> Hi folks
> 
> systemd already includes it's own small and EFI based bootloader.  To
> make it more widely usable, it would be nice to have it secure boot
> signed.  Signing for secure boot is supported in Debian via a round trip
> inside the archive.
> 
> I would implement that something in the line of:
> 
> - Split off the existing EFI binary into a new package
>    "systemd-boot-unsigned".
> - Create the template package "systemd-boot-$arch-signed-template".  It
>    contains a list of files to be signed and a source package template,
>    which gets signatures injected into and uploaded by the signing
>    process.
> - The template creates a source and binary package
>    "systemd-boot-$arch-signed", shipping the signed EFI binary.
> - Add a "systemd-boot" package that contains "bootctl" and a dependency
>    on "systemd-boot-$arch-signed".
> 
> I can help with that, as I'm going work on secure boot anyway.

Looping in Julian. As maintainer of sicherboot, I assume he would be 
affected by this change.
Julian, maybe you have some input as well.

Regards,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211012/4d006985/attachment.sig>


More information about the Pkg-systemd-maintainers mailing list