Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1039913: Please add hook for self-signing systemd-boot after upgrade
55 views
Skip to first unread message
Jan Naumann
Jun 29, 2023, 9:00:05 AM6/29/23
to
Package: systemd-boot
Version: 253-4
Severity: minor
Dear maintainers,
the systemd-boot package calls `bootctl update` after the upgrade of the
package. Therefore, it overwrites the currently installed systemd-boot image
(which could be signed for secure boot with a local key) on the ESP with a new,
but unsigned image.
Could you please add a hook to the postinst that either a local script can be
called on installation time which takes care of signing the image (similar to
the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if
e.g. the signing key is available at a specific path.
Thank you very much in advance
Jan Naumann
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.3.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-boot depends on:
ii libc6 2.36-9
ii libsystemd-shared 253-4
ii systemd-boot-efi 253-4
Versions of packages systemd-boot recommends:
ii efibootmgr 17-2
systemd-boot suggests no packages.
-- no debconf information
Version: 253-4
Severity: minor
Dear maintainers,
the systemd-boot package calls `bootctl update` after the upgrade of the
package. Therefore, it overwrites the currently installed systemd-boot image
(which could be signed for secure boot with a local key) on the ESP with a new,
but unsigned image.
Could you please add a hook to the postinst that either a local script can be
called on installation time which takes care of signing the image (similar to
the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if
e.g. the signing key is available at a specific path.
Thank you very much in advance
Jan Naumann
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.3.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-boot depends on:
ii libc6 2.36-9
ii libsystemd-shared 253-4
ii systemd-boot-efi 253-4
Versions of packages systemd-boot recommends:
ii efibootmgr 17-2
systemd-boot suggests no packages.
-- no debconf information
Marco d'Itri
Jun 29, 2023, 10:10:05 AM6/29/23
to
On Jun 29, Jan Naumann <j...@jans-seite.de> wrote:
> Could you please add a hook to the postinst that either a local script can be
> called on installation time which takes care of signing the image (similar to
> the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if
> e.g. the signing key is available at a specific path.
I am working on packaging sbctl (which I believe is *much* nicer[1] than
> Could you please add a hook to the postinst that either a local script can be
> called on installation time which takes care of signing the image (similar to
> the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if
> e.g. the signing key is available at a specific path.
sbsigntool and mokutil), so I plan to do some work in this area in the
future.
But I am not sure yet of which shape this interface should have.
Part of the issue is that at least sbctl signs the installed binaries in
place, while bootctl looks for .efi.signed files in the source
directory, and "bootctl install" could also be run manually at any time.
But since systemd-bootx64.efi comes from /usr/lib/systemd/boot/efi/ it
would not be right to have something which is not the package manager
install a .efi.signed file there, so I suspect that this cannot be
solved just with some shell scripting.
And for the time being there are zero chances that Debian (or anybody
else, I understand) will be able to ship a signed systemd-boot, so this
is not a useful interface right now.
[1] https://blog.bofh.it/debian/id_465
--
ciao,
Marco
0 new messages