Re: Prevent firmware from falling back to next EFI boot option on secure boot failure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mi, 23.11.22 17:56, Lennart Poettering (lennart@xxxxxxxxxxxxxx) wrote:

> > If this is a bug, I'd be willing to attempt a pull request submission
> > if a suggested fix is given.  Overall we like the functionality
> > sd-boot provides and the integration with systemd, but this is likely
> > a hard requirement for our use case.
>
> Yes please file an issue on github first, and this does sound a lot
> like something we should fix, hence a PR that addresses this would be
> more than welcome, too.

BTW, I think we should treat an EFI binary like a system we can't boot
as per the boot assessment logic. i.e. whenever we fail to invoke a
binary (regardless if the reason is the security check or something
else), then we should count down it's counters, and then stop using it
once it hits zero.

i.e. i think this should hook into the logic described in
https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT

Lennart

--
Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux