Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#1054394: Postinst installs unsigned (unbootable) efi on secure boot systems

0 views
Skip to first unread message

sympathischerwal

unread,
Oct 23, 2023, 5:40:06 AM10/23/23
to
Package: systemd-boot
Version: 252.12-1~deb12u1

When updating systemd-boot on a system with secure-boot
enabled, the postinst calls `bootctl update --graceful` which
installs an unsigned efi. This will overwrite an existing efi
with correct signature and cause the system to not boot
anymore, because of a security violation.

The postinst should either read a config file, so users can disable
this behavior or only update the efi when it has the correct
signature.

sympathischerwal

unread,
Oct 23, 2023, 6:30:05 AM10/23/23
to
Hi,

I am running secure boot with my own keys.
I signed the efi binary myself with my own keys and put it
to the efi partition. On a systemd-boot upgrade, the postinst
overwrites these files, which made my bootable system unbootable.

Best,
Thomas

sympathischerwal

unread,
Oct 24, 2023, 11:20:04 AM10/24/23
to
> Not running an update of the EFI binaries is problematic as well.

Running the update will brick a system with secure boot unconditionally.

> Aside from the dpkg/apt hook I mentioned earlier, what you might do is
> to dpkg-divert bootctl and replace it with a wrapper script that does
> the update + signing for your setup.

Thank you, I think dpkg-divert is the only atomic solution.
If there is a larger gap between the sd-boot postinst and the dpkg/apt hook, if there is a problem/crash/power cut, the system won't boot again.

> Is there a programmatic, defined way to find out if the sd-boot efi
> binaries have been signed?

The only way I know:

# sbverify --list /usr/lib/systemd/boot/efi/systemd-bootx64.efi
warning: data remaining[123392 vs 139547]: gaps between PE/COFF sections?
warning: data remaining[123392 vs 139552]: gaps between PE/COFF sections?
No signature table present

# sbverify --list /efi/EFI/systemd/systemd-bootx64.efi
warning: data remaining[125736 vs 141896]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /CN=Signature Database key
image signature certificates:
- subject: /CN=Signature Database key
issuer: /CN=Signature Database key
0 new messages