Bug#1054394: Postinst installs unsigned (unbootable) efi on secure boot systems
sympathischerwal
sympathischerwal at proton.me
Tue Oct 24 16:13:13 BST 2023
> Not running an update of the EFI binaries is problematic as well.
Running the update will brick a system with secure boot unconditionally.
> Aside from the dpkg/apt hook I mentioned earlier, what you might do is
> to dpkg-divert bootctl and replace it with a wrapper script that does
> the update + signing for your setup.
Thank you, I think dpkg-divert is the only atomic solution.
If there is a larger gap between the sd-boot postinst and the dpkg/apt hook, if there is a problem/crash/power cut, the system won't boot again.
> Is there a programmatic, defined way to find out if the sd-boot efi
> binaries have been signed?
The only way I know:
# sbverify --list /usr/lib/systemd/boot/efi/systemd-bootx64.efi
warning: data remaining[123392 vs 139547]: gaps between PE/COFF sections?
warning: data remaining[123392 vs 139552]: gaps between PE/COFF sections?
No signature table present
# sbverify --list /efi/EFI/systemd/systemd-bootx64.efi
warning: data remaining[125736 vs 141896]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /CN=Signature Database key
image signature certificates:
- subject: /CN=Signature Database key
issuer: /CN=Signature Database key
More information about the Pkg-systemd-maintainers
mailing list