Bug#996202: systemd - EFI Secure Boot for systemd-boot

Julian Andres Klode jak at debian.org
Tue Oct 12 13:22:11 BST 2021


On Tue, Oct 12, 2021 at 01:29:49PM +0200, Michael Biebl wrote:
> Am 12.10.21 um 11:22 schrieb Bastian Blank:
> > Package: systemd
> > Version: 247.9-4
> > Severity: wishlist
> > 
> > Hi folks
> > 
> > systemd already includes it's own small and EFI based bootloader.  To
> > make it more widely usable, it would be nice to have it secure boot
> > signed.  Signing for secure boot is supported in Debian via a round trip
> > inside the archive.
> > 
> > I would implement that something in the line of:
> > 
> > - Split off the existing EFI binary into a new package
> >    "systemd-boot-unsigned".
> > - Create the template package "systemd-boot-$arch-signed-template".  It
> >    contains a list of files to be signed and a source package template,
> >    which gets signatures injected into and uploaded by the signing
> >    process.
> > - The template creates a source and binary package
> >    "systemd-boot-$arch-signed", shipping the signed EFI binary.
> > - Add a "systemd-boot" package that contains "bootctl" and a dependency
> >    on "systemd-boot-$arch-signed".
> > 
> > I can help with that, as I'm going work on secure boot anyway.
> 
> Looping in Julian. As maintainer of sicherboot, I assume he would be
> affected by this change.
> Julian, maybe you have some input as well.

The proposed implementation adds signing, but not any hooks for
installing kernels? Anyway I don't care much I guess, sicherboot
would take an unsigned binary, but it also handles a signed one
I guess.

I think the more important question is whether people will make use
of it, and it's worthwhile dealing with the security impact. Presumably
systemd-boot also needs to gain support for SBAT, and both have an SBAT
section and perform verification of SBAT levels, which I'm not sure
anybody has worked on yet, see

https://github.com/rhboot/shim/blob/main/SBAT.md

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20211012/803ab20e/attachment.sig>


More information about the Pkg-systemd-maintainers mailing list