Bug#996202: systemd - EFI Secure Boot for systemd-boot
Bastian Blank
waldi at debian.org
Tue Oct 12 13:41:01 BST 2021
On Tue, Oct 12, 2021 at 02:22:11PM +0200, Julian Andres Klode wrote:
> The proposed implementation adds signing, but not any hooks for
> installing kernels? Anyway I don't care much I guess, sicherboot
> would take an unsigned binary, but it also handles a signed one
> I guess.
Yes. This is just for signing right now.
> I think the more important question is whether people will make use
> of it, and it's worthwhile dealing with the security impact. Presumably
> systemd-boot also needs to gain support for SBAT, and both have an SBAT
> section and perform verification of SBAT levels, which I'm not sure
> anybody has worked on yet, see
What is the current state of SBAT support?
Also, AFAIK the complete image verification is done in shim. Why would
downstream loaders require SBAT verification on their own?
Bastian
--
Well, Jim, I'm not much of an actor either.
More information about the Pkg-systemd-maintainers
mailing list