The overall security model of the CA on which we would sign such UKIs already allows loading external initrds without a UKI being used.
This would be for the simple convenience of being able to use the stub purely as a (temporary) mechanism for signing dtbs and the kernel together, not to provide any of the added security of regular systemd- stub. And since you won't weaken the security of the CA itself, and because such an initrd-less UKI will have different TPM hashes as the one that relies on the verified initrd, I don't see any real security argument here other than systemd wishing to distance itself from unsigned initrds fully. If that is the only argument remaning, we should probably ship the patched (and stripped down) stub in package called "definitely-not- systemd-stub" and actually give us the ability to ship signed dtbs in 25.10 timeframe. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2100783 Title: systemd-boot does not support an externally provided initrd on UKI To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2100783/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
