Hi Julian, On Tue, Sep 06, 2016 at 06:23:46PM +0200, Julian Andres Klode wrote: > Package: wnpp > Severity: wishlist > Owner: Julian Andres Klode <jak@debian.org> > > * Package name : sicherboot > Version : 0.1.0 > Upstream Author : Julian Andres Klode <jak@jak-linux.org> > * URL : https://github.com/julian-klode/sicherboot > * License : MIT > Programming Lang: Shell > Description : Installs systemd-boot and kernels to ESP, signed for secure boot please explain the "ESP" acronym in the long description: > sicherboot manages kernels and systemd-boot on a secure boot > machine. It installs kernels and systemd-boot, generates signing keys to > enroll in the machine, and signs the kernels and the bootloader with it. > . > The keys used to sign the UEFI binaries are located in /var/lib. If /var/lib > is not encrypted, the whole setup is unsafe: One of the files generated is > rm_PK.auth, which, when written to UEFI, reverts the system to setup mode > where no checks are performed. > . > Currently, the package only supports amd64 architecture. It also has to > divert the /etc/kernel/postinst.d/dracut file and replace it with its > own file that calls the diverted one and updates the ESP afterwards, as > dracut does not support any form of hooks. > > Lifting the amd64 restriction requires a bit more work: Triggers > need to be adjusted and the correct EFI binaries need to be found > at run time (for the EFI stub which allows us to merge a kernel > with an initramfs). -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature