The overall security model of the CA on which we would sign such UKIs already allows loading external initrds without a UKI being used.
This would be for the simple convenience of being able to use the stub purely as a (temporary) mechanism for signing dtbs and the kernel together, not to provide any of the added security of regular systemd- stub. And since you won't weaken the security of the CA itself, and because such an initrd-less UKI will have different TPM hashes as the one that relies on the verified initrd, I don't see any real security argument here other than systemd wishing to distance itself from unsigned initrds fully. If that is the only argument remaning, we should probably ship the patched (and stripped down) stub in package called "definitely-not- systemd-stub" and actually give us the ability to ship signed dtbs in 25.10 timeframe. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2100783 Title: systemd-boot does not support an externally provided initrd on UKI Status in systemd package in Ubuntu: Won't Fix Bug description: We would like to boot arm and riscv using systemd-ukify, but the EFI stub in systemd-boot that is used by systemd-ukify to make the UKI only supports embedded initrd's. We would like to be able to externally provide the initrd. This is important for secure boot, as this way on kernel updates the UKI can be signed and provided as a package while the initrd can be generated by update-initramfs locally, as there are still many things changing initramfs-hooks locally. The patch was rejected upstream: https://github.com/systemd/systemd/pull/35978 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2100783/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
