Am 23.10.23 um 11:32 schrieb sympathischerwal:
Package: systemd-boot Version: 252.12-1~deb12u1When updating systemd-boot on a system with secure-boot enabled, the postinst calls `bootctl update --graceful` which installs an unsigned efi. This will overwrite an existing efi with correct signature and cause the system to not boot anymore, because of a security violation. The postinst should either read a config file, so users can disable this behavior or only update the efi when it has the correct signature.
Introducing a config variable for this is something I'm not keen on. Not running an update of the EFI binaries is problematic as well.Is there a programmatic, defined way to find out if the sd-boot efi binaries have been signed? If so, we could at least add a warning to postinst if we detect such a situation.
Aside from the dpkg/apt hook I mentioned earlier, what you might do is to dpkg-divert bootctl and replace it with a wrapper script that does the update + signing for your setup.
Regards, Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
