On Tue, Oct 12, 2021 at 02:52:57PM +0200, Julian Andres Klode wrote:
> On Tue, Oct 12, 2021 at 02:41:01PM +0200, Bastian Blank wrote:
> > Yes. This is just for signing right now.
> I wouldn't do that. You then end up breaking users when introducing
> integration; or need yet another package to host the integration in.
Hu? It does not break it any more then the current state. The systemd
package already ships an EFI binary without any integration.
> shim 15.4 requires SBAT sections on binaries it loads.
> So systemd-boot does not hook into shim at all IIRC, so it's not
> super useful - you can't load Debian kernels with it, only stuff
> in UEFI db (other shims, basically).
> If it gets signed to be loadable by shim, it would have to implement
> verification of loaded binaries using the shim, and provide an SBAT
> section so shim even bothers loading it.
systemd-boot can add proper SBAT as far as I see. Maybe not in the
version currently on Debian unstable. Also I see some calls into
SHIM_LOCK. So there is both SBAT support and support for the shim
verification protocol.
Bastian
--
You! What PLANET is this!
-- McCoy, "The City on the Edge of Forever", stardate 3134.0
