sicherboot icon indicating copy to clipboard operation
sicherboot copied to clipboard

Published 20 hours ago verified publisher icon julian-klode

Directly use efibootmgr instead of systemd boot

Open jkufner opened this issue 5 years ago • 6 comments

Sicherboot packs kernel and initrd into single-file EFI executables. Then we can register these EFI executables using efibootmgr without any bootloader and boot them directly. It may not work on every piece of hardware, but it is simpler and it reduces attack surface so Secure Boot should be more reliable.

Would it be possible to add option not to use systemd boot and register kernels directly using efibootmgr? The /boot/EFI directory would be much cleaner (only few kernels in /boot/EFI/debian).

I've tried this using a simple script:

sicherboot build-image "$vmlinuz_file" "$initrd_file" "$target_file" "$target_cmdline_file"
sicherboot sign-image "$target_file"
label="Debian Linux $version (baked & signed)"
efibootmgr | grep "$label" | sed 's/Boot0*\([0-9]\+\)\*\? .*/\1/' | xargs -r -n 1 -- efibootmgr -B -q -b
efibootmgr -c -L "$label" -l "$target_efi"

It works quite well, but a biit more robust aproach would be beter.

jkufner avatar Dec 03 '18 22:12 jkufner