Bug#996202: systemd - EFI Secure Boot for systemd-boot
Bastian Blank
waldi at debian.org
Wed Oct 20 10:12:23 BST 2021
Hi Julian
Ping?
On Tue, Oct 12, 2021 at 03:31:24PM +0200, Bastian Blank wrote:
> On Tue, Oct 12, 2021 at 02:52:57PM +0200, Julian Andres Klode wrote:
> > On Tue, Oct 12, 2021 at 02:41:01PM +0200, Bastian Blank wrote:
> > > Yes. This is just for signing right now.
> > I wouldn't do that. You then end up breaking users when introducing
> > integration; or need yet another package to host the integration in.
>
> Hu? It does not break it any more then the current state. The systemd
> package already ships an EFI binary without any integration.
>
> > shim 15.4 requires SBAT sections on binaries it loads.
> > So systemd-boot does not hook into shim at all IIRC, so it's not
> > super useful - you can't load Debian kernels with it, only stuff
> > in UEFI db (other shims, basically).
>
> > If it gets signed to be loadable by shim, it would have to implement
> > verification of loaded binaries using the shim, and provide an SBAT
> > section so shim even bothers loading it.
>
> systemd-boot can add proper SBAT as far as I see. Maybe not in the
> version currently on Debian unstable. Also I see some calls into
> SHIM_LOCK. So there is both SBAT support and support for the shim
> verification protocol.
--
Vulcans believe peace should not depend on force.
-- Amanda, "Journey to Babel", stardate 3842.3
More information about the Pkg-systemd-maintainers
mailing list