Bug#996202: systemd - EFI Secure Boot for systemd-boot
Michael Biebl
email at michaelbiebl.de
Tue Oct 12 12:29:49 BST 2021
Am 12.10.21 um 11:22 schrieb Bastian Blank:
> Package: systemd
> Version: 247.9-4
> Severity: wishlist
>
> Hi folks
>
> systemd already includes it's own small and EFI based bootloader. To
> make it more widely usable, it would be nice to have it secure boot
> signed. Signing for secure boot is supported in Debian via a round trip
> inside the archive.
>
> I would implement that something in the line of:
>
> - Split off the existing EFI binary into a new package
> "systemd-boot-unsigned".
> - Create the template package "systemd-boot-$arch-signed-template". It
> contains a list of files to be signed and a source package template,
> which gets signatures injected into and uploaded by the signing
> process.
> - The template creates a source and binary package
> "systemd-boot-$arch-signed", shipping the signed EFI binary.
> - Add a "systemd-boot" package that contains "bootctl" and a dependency
> on "systemd-boot-$arch-signed".
>
> I can help with that, as I'm going work on secure boot anyway.
Looping in Julian. As maintainer of sicherboot, I assume he would be
affected by this change.
Julian, maybe you have some input as well.
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211012/4d006985/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list