On Tue, Oct 12, 2021 at 02:22:11PM +0200, Julian Andres Klode wrote:
> The proposed implementation adds signing, but not any hooks for
> installing kernels? Anyway I don't care much I guess, sicherboot
> would take an unsigned binary, but it also handles a signed one
> I guess.

Yes.  This is just for signing right now.

> I think the more important question is whether people will make use
> of it, and it's worthwhile dealing with the security impact. Presumably
> systemd-boot also needs to gain support for SBAT, and both have an SBAT
> section and perform verification of SBAT levels, which I'm not sure
> anybody has worked on yet, see

What is the current state of SBAT support? 

Also, AFAIK the complete image verification is done in shim.  Why would
downstream loaders require SBAT verification on their own?


Well, Jim, I'm not much of an actor either.

Reply via email to