Bug#996202: EFI Secure Boot for systemd-boot

Luca Boccassi bluca at debian.org
Fri Mar 22 18:13:35 GMT 2024


On Mon, 4 Mar 2024 at 23:58, Luca Boccassi <bluca at debian.org> wrote:
>
> On Mon, 4 Mar 2024 at 23:28, Steve McIntyre <steve at einval.com> wrote:
>
> > Modulo those questions, let's talk infrastructure. Off the top of my
> > head, in no particular order...
> >
> >   * We'll need to create a new intermediate signing cert for
> >     systemd-boot (and another for UKI, I guess). Given recent
> >     discussions about changing the way we build and sign kernels, we
> >     should also generate a new signer cert for those too. And if we're
> >     going that far, we may as well generate a complete new set of 2024
> >     certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA about
> >     doing this piece.
>
> That makes sense to me, I guess DSA owns the machinery to do this?
>
> >   * We'll probably need to add things to the signing setup for
> >     ftp-master. Nothing earth-shattering, just some config to
> >     recognise the new set of packages IIRC. I'm sure Bastian can
> >     manage this. :-)
> >
> >   * Are people from the team ready to deal with long-term security
> >     support for the systemd-boot chain?
>
> Speaking for myself, yes, I am already part of the team who is
> responsible for that upstream, and I plan to be very strict about not
> carrying downstream patches for the signed components outside of
> security fixes (and even then, prefer upstream stable point releases
> that I am also responsible for anyway).
>
> > That's all I can think of for now, but I wouldn't be surprised if more
> > comes to mind tomorrow... :-)
>
> Thanks for the feedback!

Gentle ping on this - what are the next steps in order to make this happen?



More information about the Pkg-systemd-maintainers mailing list