Skip to content
This repository has been archived by the owner on Jan 20, 2023. It is now read-only.

Latest commit

 

History

History
49 lines (36 loc) · 1.54 KB

README.md

File metadata and controls

49 lines (36 loc) · 1.54 KB

systemd Secure boot integration

sicher*boot automatically installs systemd-boot and kernels for it into the ESP, signed with keys generated by it.

Run Status

SECURITY

The signing keys are stored unencrypted and only protected by the file system permissions. Thus, you should make sure that the file system they are stored (usually /etc) in is encrypted.

Setup

After installing sicherboot, you can adjust a number of settings in /etc/sicherboot.conf and should set a kernel commandline in /etc/kernel/cmdline.

Then run

sicherboot setup

to get started.

Limitations

  • Kernels and initramfs images must be named /boot/vmlinuz-<ver> and /boot/initrd.img-<ver>
  • Only a single ESP is supported.

Integrating with your package management

You want to run:

  • sicherboot bootctl update
    • whenever systemd is upgraded or installed
  • sicherboot install-kernel <ver>
    • when the kernel is installed and the initramfs was built
  • sicherboot remove-kernel <ver>
    • when the kernel shall be removed

As an example, kernel and initramfs contain integration with /etc/kernel and initramfs-tools. Install one of the kernel postinst.d scripts - the dracut one exists for dracut systems as a work around for dracut not supporting hooks.