sicherboot
sicherboot copied to clipboard
Directly use efibootmgr instead of systemd boot
Sicherboot packs kernel and initrd into single-file EFI executables. Then we can register these EFI executables using efibootmgr without any bootloader and boot them directly. It may not work on every piece of hardware, but it is simpler and it reduces attack surface so Secure Boot should be more reliable.
Would it be possible to add option not to use systemd boot and register kernels directly using efibootmgr? The /boot/EFI directory would be much cleaner (only few kernels in /boot/EFI/debian).
I've tried this using a simple script:
sicherboot build-image "$vmlinuz_file" "$initrd_file" "$target_file" "$target_cmdline_file"
sicherboot sign-image "$target_file"
label="Debian Linux $version (baked & signed)"
efibootmgr | grep "$label" | sed 's/Boot0*\([0-9]\+\)\*\? .*/\1/' | xargs -r -n 1 -- efibootmgr -B -q -b
efibootmgr -c -L "$label" -l "$target_efi"
It works quite well, but a biit more robust aproach would be beter.