Package: wnpp Severity: wishlist Owner: Julian Andres Klode <j...@debian.org>
* Package name : sicherboot Version : 0.1.0 Upstream Author : Julian Andres Klode <j...@jak-linux.org> * URL : https://github.com/julian-klode/sicherboot * License : MIT Programming Lang: Shell Description : Installs systemd-boot and kernels to ESP, signed for secure boot sicherboot manages kernels and systemd-boot on a secure boot machine. It installs kernels and systemd-boot, generates signing keys to enroll in the machine, and signs the kernels and the bootloader with it. . The keys used to sign the UEFI binaries are located in /var/lib. If /var/lib is not encrypted, the whole setup is unsafe: One of the files generated is rm_PK.auth, which, when written to UEFI, reverts the system to setup mode where no checks are performed. . Currently, the package only supports amd64 architecture. It also has to divert the /etc/kernel/postinst.d/dracut file and replace it with its own file that calls the diverted one and updates the ESP afterwards, as dracut does not support any form of hooks. Lifting the amd64 restriction requires a bit more work: Triggers need to be adjusted and the correct EFI binaries need to be found at run time (for the EFI stub which allows us to merge a kernel with an initramfs). -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.
