Bug#1057873: systemd-boot: allow user postinstall script to be able to sign the bootloader

Matteo Settenvini matteo.settenvini at montecristosoftware.eu
Sat Dec 9 22:53:17 GMT 2023 

Package: systemd-boot
Version: 255-1
Severity: important

Dear Maintainer,

as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033725 and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996202, there seems to be no
willingness to sign esp/EFI/systemd/systemd-bootx64.efi and
esp/EFI/BOOT/BOOTX64.EFI with the Debian CA.

  Sidenote: (Maybe this decision should be revisited? We are a couple of years
  later and systemd-boot is the only proper Linux bootloader able to do
  measured boot).

Instead, the solution pointed out is that the user should have their own
keys. I do just that, and I use sbctl accordingly for both UKI images and
systemd-boot. This works well, also with sbsign instead of
sbctl (the latter being unavailable as a package in Debian).

Unfortunately, one has to manually remember to sign the bootloader
in the EFI partition after each re-install of the systemd-boot package. 

Would it be possible to provide a configuration / script file so that
one can sign the bootloader before installing it?

I can obviously create a dpkg-diversion and wrap bootctl myself by
invoking sbsign manually, but I think it would be better if this was a 
more generic solution.

Best of all, systemd-boot.efi.signed would be provided by a
systemd-boot-signed package by Debian itself. :-)

>From the bootctl man page:

SIGNED .EFI FILES
       bootctl install and update will look for a systemd-boot file ending 
       with the ".efi.signed" suffix first, and copy that instead of the 
       normal ".efi" file. This allows distributions or end-users to provide 
       signed images for UEFI SecureBoot.

Thanks,
Matteo Settenvini

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-5-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-boot depends on:
ii  libc6              2.37-13
ii  libsystemd-shared  255-1
ii  systemd-boot-efi   255-1

Versions of packages systemd-boot recommends:
ii  efibootmgr  18-1

systemd-boot suggests no packages.

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list