On Tue, Oct 12, 2021 at 01:29:49PM +0200, Michael Biebl wrote: > Am 12.10.21 um 11:22 schrieb Bastian Blank: > > Package: systemd > > Version: 247.9-4 > > Severity: wishlist > > > > Hi folks > > > > systemd already includes it's own small and EFI based bootloader. To > > make it more widely usable, it would be nice to have it secure boot > > signed. Signing for secure boot is supported in Debian via a round trip > > inside the archive. > > > > I would implement that something in the line of: > > > > - Split off the existing EFI binary into a new package > > "systemd-boot-unsigned". > > - Create the template package "systemd-boot-$arch-signed-template". It > > contains a list of files to be signed and a source package template, > > which gets signatures injected into and uploaded by the signing > > process. > > - The template creates a source and binary package > > "systemd-boot-$arch-signed", shipping the signed EFI binary. > > - Add a "systemd-boot" package that contains "bootctl" and a dependency > > on "systemd-boot-$arch-signed". > > > > I can help with that, as I'm going work on secure boot anyway. > > Looping in Julian. As maintainer of sicherboot, I assume he would be > affected by this change. > Julian, maybe you have some input as well.
The proposed implementation adds signing, but not any hooks for installing kernels? Anyway I don't care much I guess, sicherboot would take an unsigned binary, but it also handles a signed one I guess. I think the more important question is whether people will make use of it, and it's worthwhile dealing with the security impact. Presumably systemd-boot also needs to gain support for SBAT, and both have an SBAT section and perform verification of SBAT levels, which I'm not sure anybody has worked on yet, see https://github.com/rhboot/shim/blob/main/SBAT.md -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
