Hi, > > [...] > > So, all this is just for measuring the parameters passed to the kernel > > image, right? Does it actually make sense in secure scenarios to use > > that feature? We are currently using unified kernel images, with the > > kernel parameters baked in. That permits to reject booting at all and > > automatically measures the options as well.
Yes, correct for the secure boot case as you're not allowed to change the parameters then by the implementation of systemd-boot's stub which is used to bake unified kernel images, c.f. https://github.com/systemd/systemd/blob/main/src/boot/efi/stub.c#L58 A different implementation may allow you to do this though.... Apart from that, measured boot is not tied to secure boot and so it does have its use in the non-secure boot case IMO. Whether we want to support that is a different question though. > So are we but systemd's measure module will do two things (1) finalize the > event table (only when called for the 1st time) What version (sha) did you actually import from systemd-boot? This functionality you're referring to here has been removed at Jun 3, 2019, i.e., one year ago, with this commit https://github.com/systemd/systemd/commit/f8e54bf31970d9988bf05e70f75a3e05187f4e30 as the reasoning for adding it in the first place was wrong. Kind regards, Christian -- Dr. Christian Storm Siemens AG, Technology, T RDA IOT SES-DE Otto-Hahn-Ring 6, 81739 München, Germany -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20210629144340.sqvjiijc5iv67is3%40MD1ZFJVC.ad001.siemens.net.
