Bug#1057873: systemd-boot: allow user postinstall script to be able to sign the bootloader
Luca Boccassi
bluca at debian.org
Sun May 26 18:15:12 BST 2024
Control: tags -1 help
On Sat, 09 Dec 2023 23:53:17 +0100 Matteo Settenvini
<matteo.settenvini at montecristosoftware.eu> wrote:
> Package: systemd-boot
> Version: 255-1
> Severity: important
>
> Dear Maintainer,
>
> as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033725 and
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996202, there seems
to be no
> willingness to sign esp/EFI/systemd/systemd-bootx64.efi and
> esp/EFI/BOOT/BOOTX64.EFI with the Debian CA.
>
> Sidenote: (Maybe this decision should be revisited? We are a couple
of years
> later and systemd-boot is the only proper Linux bootloader able to
do
> measured boot).
This is in progress and should hopefully happen for Trixie.
> Instead, the solution pointed out is that the user should have their
own
> keys. I do just that, and I use sbctl accordingly for both UKI images
and
> systemd-boot. This works well, also with sbsign instead of
> sbctl (the latter being unavailable as a package in Debian).
>
> Unfortunately, one has to manually remember to sign the bootloader
> in the EFI partition after each re-install of the systemd-boot
package.
>
> Would it be possible to provide a configuration / script file so that
> one can sign the bootloader before installing it?
This should be doable with dpkg triggers. I haven't used them in years,
but IIRC it might be doable without any explicit change in systemd-
boot-efi, the packages providing the signing tools should be able to
register an interest in /usr/lib/systemd/boot/efi/ and do its stuff
when it is updated.
I am not going to work on this, anybody who is interested in this
should provide MRs to the appropriate packages.
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240526/45a80635/attachment-0001.sig>
More information about the Pkg-systemd-maintainers
mailing list