Control: tags -1 help On Sat, 09 Dec 2023 23:53:17 +0100 Matteo Settenvini <[email protected]> wrote: > Package: systemd-boot > Version: 255-1 > Severity: important > > Dear Maintainer, > > as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033725 and > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996202, there seems to be no > willingness to sign esp/EFI/systemd/systemd-bootx64.efi and > esp/EFI/BOOT/BOOTX64.EFI with the Debian CA. > > Sidenote: (Maybe this decision should be revisited? We are a couple of years > later and systemd-boot is the only proper Linux bootloader able to do > measured boot).
This is in progress and should hopefully happen for Trixie. > Instead, the solution pointed out is that the user should have their own > keys. I do just that, and I use sbctl accordingly for both UKI images and > systemd-boot. This works well, also with sbsign instead of > sbctl (the latter being unavailable as a package in Debian). > > Unfortunately, one has to manually remember to sign the bootloader > in the EFI partition after each re-install of the systemd-boot package. > > Would it be possible to provide a configuration / script file so that > one can sign the bootloader before installing it? This should be doable with dpkg triggers. I haven't used them in years, but IIRC it might be doable without any explicit change in systemd- boot-efi, the packages providing the signing tools should be able to register an interest in /usr/lib/systemd/boot/efi/ and do its stuff when it is updated. I am not going to work on this, anybody who is interested in this should provide MRs to the appropriate packages. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part

