On Tue, Oct 12, 2021 at 02:41:01PM +0200, Bastian Blank wrote:
> On Tue, Oct 12, 2021 at 02:22:11PM +0200, Julian Andres Klode wrote:
> > The proposed implementation adds signing, but not any hooks for
> > installing kernels? Anyway I don't care much I guess, sicherboot
> > would take an unsigned binary, but it also handles a signed one
> > I guess.
> Yes.  This is just for signing right now.

I wouldn't do that. You then end up breaking users when introducing
integration; or need yet another package to host the integration in.

> > I think the more important question is whether people will make use
> > of it, and it's worthwhile dealing with the security impact. Presumably
> > systemd-boot also needs to gain support for SBAT, and both have an SBAT
> > section and perform verification of SBAT levels, which I'm not sure
> > anybody has worked on yet, see
> What is the current state of SBAT support? 
> Also, AFAIK the complete image verification is done in shim.  Why would
> downstream loaders require SBAT verification on their own?

shim 15.4 requires SBAT sections on binaries it loads.

So systemd-boot does not hook into shim at all IIRC, so it's not
super useful - you can't load Debian kernels with it, only stuff
in UEFI db (other shims, basically).

If it gets signed to be loadable by shim, it would have to implement
verification of loaded binaries using the shim, and provide an SBAT
section so shim even bothers loading it.

debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply via email to