sympathischerwal
unread,Oct 24, 2023, 11:20:04 AM10/24/23You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
> Not running an update of the EFI binaries is problematic as well.
Running the update will brick a system with secure boot unconditionally.
> Aside from the dpkg/apt hook I mentioned earlier, what you might do is
> to dpkg-divert bootctl and replace it with a wrapper script that does
> the update + signing for your setup.
Thank you, I think dpkg-divert is the only atomic solution.
If there is a larger gap between the sd-boot postinst and the dpkg/apt hook, if there is a problem/crash/power cut, the system won't boot again.
> Is there a programmatic, defined way to find out if the sd-boot efi
> binaries have been signed?
The only way I know:
# sbverify --list /usr/lib/systemd/boot/efi/systemd-bootx64.efi
warning: data remaining[123392 vs 139547]: gaps between PE/COFF sections?
warning: data remaining[123392 vs 139552]: gaps between PE/COFF sections?
No signature table present
# sbverify --list /efi/EFI/systemd/systemd-bootx64.efi
warning: data remaining[125736 vs 141896]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /CN=Signature Database key
image signature certificates:
- subject: /CN=Signature Database key
issuer: /CN=Signature Database key