Bug#1054394: Postinst installs unsigned (unbootable) efi on secure boot systems
sympathischerwal
sympathischerwal at proton.me
Mon Oct 23 10:32:49 BST 2023
Package: systemd-boot
Version: 252.12-1~deb12u1
When updating systemd-boot on a system with secure-boot
enabled, the postinst calls `bootctl update --graceful` which
installs an unsigned efi. This will overwrite an existing efi
with correct signature and cause the system to not boot
anymore, because of a security violation.
The postinst should either read a config file, so users can disable
this behavior or only update the efi when it has the correct
signature.
More information about the Pkg-systemd-maintainers
mailing list