Julian Andres Klode
Julian Andres Klode
OK I haven't played with keyboxd yet, it's a bit new and fancy (and IMO useless), but this seems to be documented in the `gpg(1)` manual page under the `--keyring`...
I'll go patch out `use-keyboxd` in new installs.
gnupg2 patched in https://launchpad.net/ubuntu/+source/gnupg2/2.4.4-2ubuntu9 to no longer write common.conf on fresh installs. But please ensure your test suite doesn't rely on host config and home dirs.
Kernel modules should be signed by different key than the bootloader and kernel. Does Debian not do automatic DKMS signing yet? We do in Ubuntu.
Well, cp: cannot stat '/root/src/github.com/julian-klode/sicherboot/tests/tmp/efi/EFI/BOOT/BOOTX64.EFI': No such file or directory -> the mock bootctl does not install a bootx64.efi. WRT signing that: It's not that easy. The default might not...
I wonder why you don't set a boot order using efibootmgr that uses the non-default bootloader. For example, my system is configured to directly use systemd-boot by placing its entry...
> It doesn't add any options. Everything loaded by systemd-boot must be signed. Commandline arguments can be defined in loader entry files, but I'm not sure it's being used with...
I'm always a bit wary of toying with EFI variables directly, and especially adding multiple ones. I barely managed to recover from too many variables once on my X230 -...
Sounds like a good idea, and something I could do in September.
I have to defer this to a later time due to other projects currently being in the way. So, later this year.