Bug#1054394: Postinst installs unsigned (unbootable) efi on secure boot systems
Michael Biebl
biebl at debian.org
Mon Oct 23 17:07:10 BST 2023
Am 23.10.23 um 11:32 schrieb sympathischerwal:
> Package: systemd-boot
> Version: 252.12-1~deb12u1
>
> When updating systemd-boot on a system with secure-boot
> enabled, the postinst calls `bootctl update --graceful` which
> installs an unsigned efi. This will overwrite an existing efi
> with correct signature and cause the system to not boot
> anymore, because of a security violation.
>
> The postinst should either read a config file, so users can disable
> this behavior or only update the efi when it has the correct
> signature.
Introducing a config variable for this is something I'm not keen on.
Not running an update of the EFI binaries is problematic as well.
Is there a programmatic, defined way to find out if the sd-boot efi
binaries have been signed? If so, we could at least add a warning to
postinst if we detect such a situation.
Aside from the dpkg/apt hook I mentioned earlier, what you might do is
to dpkg-divert bootctl and replace it with a wrapper script that does
the update + signing for your setup.
Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20231023/c66baf99/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list