Bug#996202: EFI Secure Boot for systemd-boot
Steve McIntyre
steve at einval.com
Mon Mar 4 23:27:39 GMT 2024
Hey folks,
On Mon, Mar 04, 2024 at 02:13:25AM +0000, Luca Boccassi wrote:
>On Fri, 19 Nov 2021 09:33:00 +0100 Bastian Blank <waldi at debian.org>
>wrote:
>> Hi
>>
>> I'm rescinding this request. I've got a working prototype, but I
>don't
>> know where this would go.
>>
>> Bastian
>
>The upstream Shim reviewers group now accepts systemd-boot as a 2nd
>stage bootloader, trusted by Shim builds signed with the UEFI 3rd party
>CA. This clears the way for Debian's CA to sign systemd-boot, so I am
>reopening this bug.
>
>shim-review questionnaire update that allows systemd-boot:
>
>https://github.com/rhboot/shim-review/pull/357
>
>MR on Salsa to add the usual template package, adapted from Bastian's
>MR from a couple of years ago:
>
>https://salsa.debian.org/systemd-team/systemd/-/merge_requests/252
>
>Debian Shim maintainers, who do we need to seek approvals for this to
>happen? Shim maintainers first of course, anybody else? Release team?
>FTP team?
OK, I can see what you're doing with templating here, and it looks
clear and obvious. But: this seems to be for standalone systemd-boot
rather than UKI? I thought UKI was the preferred way forward?
I'm a little surprised to see you adding riscv64 stuff - AFAIK there's
nobody (yet) providing any root CA for riscv64? We certainly haven't
done anything with it in Debian yet.
What's your plan for installing as the secondary boot loader for shim
to call?
Modulo those questions, let's talk infrastructure. Off the top of my
head, in no particular order...
* We'll need to create a new intermediate signing cert for
systemd-boot (and another for UKI, I guess). Given recent
discussions about changing the way we build and sign kernels, we
should also generate a new signer cert for those too. And if we're
going that far, we may as well generate a complete new set of 2024
certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA about
doing this piece.
* We'll probably need to add things to the signing setup for
ftp-master. Nothing earth-shattering, just some config to
recognise the new set of packages IIRC. I'm sure Bastian can
manage this. :-)
* Are people from the team ready to deal with long-term security
support for the systemd-boot chain?
That's all I can think of for now, but I wouldn't be surprised if more
comes to mind tomorrow... :-)
--
Steve McIntyre, Cambridge, UK. steve at einval.com
Into the distance, a ribbon of black
Stretched to the point of no turning back
More information about the Pkg-systemd-maintainers
mailing list