On Mi, 27.04.22 18:57, Michael Biebl (mbiebl@xxxxxxxxx) wrote: > >From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996202#60 > > """ > we have recently discussed the matter of systemd-boot in > an upstream shim review gathering. Ominous. > We reject a signing of systemd-boot as > > * systemd-boot does not use current ways of communicating with > shim It does not? What does that even mean, and why does that even matter? Also, it does communicate with shim, see src/boot/efi/shim.c… And there's SBAT support, which is a shim thing afaik. > * There was some concern over general quality Humpf. That's just 1st rate FUD. I mean, if systemd for PID 1 is OK'ed by distros, then maybe the boot loader maintained by the same people should be fine too. i'd be curious what precisely the "quality" issues are supposed to be… > * systemd-boot is an additional bootloader, rather than replacing > an existing one, thus increasing the attack surface. Hmm, what? "additional bootloader"? Are they suggesting you use grub to start sd-boot? I mean, you certainly could do that, but the only people I know who do that do that to patch around the gatekeeping that the shim people are doing. Technically the boot chain should either be [firmware → sd-boot → kernel] or [firmware → shim → sd-boot → kernel] (if you buy into the shim thing), and nothing else. > If people want to experiment with other bootloaders than the > default one, they can disable secure boot, or load their own > keys into the machine. We do not consider it valid to have > a choice of bootloaders. > > I want to note that the current shim has been signed with the > understanding that it will trust grub, kernels, and fwupd. A > signing of systemd-boot might be considered reasons for revoking > the existing shim, and will certainly result in new shims not > getting signed. Christ! That's some gatekeeping. Lennart -- Lennart Poettering, Berlin
Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Thu, 28 Apr 2022 09:54:36 +0200
- Cc: systemd Mailing List <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>, "Roderick W. Smith" <rodsmith@xxxxxxxxxxxxx>
- In-reply-to: <CAGWsdOi+A68W=TUa4iqxsoa+Ub9nj1+5ja+gRRWAfM1YRYGFQg@mail.gmail.com>
- References: <CAEg-Je_gcj_Nz6o6venEwefn7Q9K_1a9QoNGvT7RZ9SQ0NzJNw@mail.gmail.com> <YmkfViY7jf6S+aaT@krowka> <CAEg-Je9uf=9W1Obc+QyJ_pS8A65GZOcQz9owumn50co=voop7Q@mail.gmail.com> <YmlPYbFri+kgBzrQ@krowka> <CAGWsdOhFKYO9j5VuXmBEiVUtb94GhmqxbRmRiFKGf_J2MsDrYQ@mail.gmail.com> <CAJAOzpAbM2_dOFMsJEie15h0_9khVBO29EOoB+dtKTKq90W9Zg@mail.gmail.com> <CAGWsdOiByr-vsv-Xpyz15N4NguM99Bk7PBhbm60si5hpiY0nLA@mail.gmail.com> <CAGWsdOi+A68W=TUa4iqxsoa+Ub9nj1+5ja+gRRWAfM1YRYGFQg@mail.gmail.com>
- Follow-Ups:
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Andrei Borzenkov
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- References:
- Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Neal Gompa
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Zbigniew Jędrzejewski-Szmek
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Neal Gompa
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Zbigniew Jędrzejewski-Szmek
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Michael Biebl
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Dan Nicholson
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Michael Biebl
- Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- From: Michael Biebl
- Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- Prev by Date: Re: [EXT] Re: Q: non-ASCII in syslog
- Next by Date: Antw: [EXT] Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- Previous by thread: Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- Next by thread: Re: Splitting sd-boot from systemd/bootctl for enabling sd-boot in Fedora
- Index(es):
 |