Hi Julian Ping?
On Tue, Oct 12, 2021 at 03:31:24PM +0200, Bastian Blank wrote: > On Tue, Oct 12, 2021 at 02:52:57PM +0200, Julian Andres Klode wrote: > > On Tue, Oct 12, 2021 at 02:41:01PM +0200, Bastian Blank wrote: > > > Yes. This is just for signing right now. > > I wouldn't do that. You then end up breaking users when introducing > > integration; or need yet another package to host the integration in. > > Hu? It does not break it any more then the current state. The systemd > package already ships an EFI binary without any integration. > > > shim 15.4 requires SBAT sections on binaries it loads. > > So systemd-boot does not hook into shim at all IIRC, so it's not > > super useful - you can't load Debian kernels with it, only stuff > > in UEFI db (other shims, basically). > > > If it gets signed to be loadable by shim, it would have to implement > > verification of loaded binaries using the shim, and provide an SBAT > > section so shim even bothers loading it. > > systemd-boot can add proper SBAT as far as I see. Maybe not in the > version currently on Debian unstable. Also I see some calls into > SHIM_LOCK. So there is both SBAT support and support for the shim > verification protocol. -- Vulcans believe peace should not depend on force. -- Amanda, "Journey to Babel", stardate 3842.3