On Mon, Nov 11, 2024 at 01:12:06PM -0500, Noah Meyerhans wrote: > > PARTUUID=104ec3d3-7bc6-4ce4-be38-166f672601ec /boot/efi vfat defaults 0 0 > > > > This ensures that, if the VM isn’t shut down cleanly just once, > > it refuses to function at all. > > > > Please set the pass field to 2. > > We'll need to install dosfstools in the images, too, for that to matter. > > While we're at it, we should ensure that we're mounting /boot/efi with > more restrictive permissions, as there may be sensitive information in > it. bootctl warns about the current permissions: > ⚠ Mount point '/boot/efi' which backs the random seed file is world > accessible, which is a security hole! ⚠ > ⚠ Random seed file '/boot/efi/loader/random-seed' is world accessible, which > is a security hole! ⚠ >
Tracking these issues as https://salsa.debian.org/cloud-team/debian-cloud-images/-/issues/86 and https://salsa.debian.org/cloud-team/debian-cloud-images/-/issues/87
