Am 18.11.21 um 15:21 schrieb Julian Andres Klode:
we have recently discussed the matter of systemd-boot in an upstream shim review gathering.
Is this discussion public? Can you share it?
* systemd-boot does not use current ways of communicating with shim * There was some concern over general quality
Has this been passed along to the systemd maintainers?If so, what's their take on this? If not, could you forward your findings/concerns to upstream, please?
* systemd-boot is an additional bootloader, rather than replacing an existing one, thus increasing the attack surface. If people want to experiment with other bootloaders than the default one, they can disable secure boot, or load their own keys into the machine. We do not consider it valid to have a choice of bootloaders.
I guess with this argument, there can never be another bootloader aside from grub2? Actually my impression by being vastly more minimalistic then grub2, systemd-shim would have a smaller attack surface.
Anyway, I don't really have any skin in this game, but I guess with the response from Julian this MR is dead in the water. It would be pretty pointless to prepare everything for systemd-shim to be signed when in the end it will never happen.
Regards, Michael
OpenPGP_signature
Description: OpenPGP digital signature