Hi Julian
Given that I got no reply from you after four weeks, I consider that
issue not existing.
Bastian
On Wed, Oct 20, 2021 at 11:12:23AM +0200, Bastian Blank wrote:
> On Tue, Oct 12, 2021 at 03:31:24PM +0200, Bastian Blank wrote:
> > On Tue, Oct 12, 2021 at 02:52:57PM +0200, Julian Andres Klode wrote:
> > > On Tue, Oct 12, 2021 at 02:41:01PM +0200, Bastian Blank wrote:
> > > > Yes. This is just for signing right now.
> > > I wouldn't do that. You then end up breaking users when introducing
> > > integration; or need yet another package to host the integration in.
> >
> > Hu? It does not break it any more then the current state. The systemd
> > package already ships an EFI binary without any integration.
> >
> > > shim 15.4 requires SBAT sections on binaries it loads.
> > > So systemd-boot does not hook into shim at all IIRC, so it's not
> > > super useful - you can't load Debian kernels with it, only stuff
> > > in UEFI db (other shims, basically).
> >
> > > If it gets signed to be loadable by shim, it would have to implement
> > > verification of loaded binaries using the shim, and provide an SBAT
> > > section so shim even bothers loading it.
> >
> > systemd-boot can add proper SBAT as far as I see. Maybe not in the
> > version currently on Debian unstable. Also I see some calls into
> > SHIM_LOCK. So there is both SBAT support and support for the shim
> > verification protocol.
--
There's another way to survive. Mutual trust -- and help.
-- Kirk, "Day of the Dove", stardate unknown
