[systemd-devel] How to factory reset?

David Herrmann dh.herrmann at gmail.com
Thu Mar 12 06:24:10 PDT 2015


On Thu, Mar 12, 2015 at 2:06 PM, Andrei Borzenkov <arvidjaar at gmail.com> wrote:
> On Thu, Mar 12, 2015 at 1:30 PM, David Herrmann <dh.herrmann at gmail.com> wrote:
>>>> With systemd-boot, there will be no config to sign:
>>>>   https://harald.hoyer.xyz/2015/02/25/single-uefi-executable-for-kernelinitrdcmdline/
>>> How exactly putting files in a container solves the problem that they
>>> are not signed? This is not quite obvious from blog post.
>> The config/etc. snippets are now part of the _signed_ EFI binary,
>> which is always verified by the firmware. Therefore, we don't need to
>> verify the other snippets separately.
> Where signing key comes from? Is this key generated by user on end
> system and enrolled in firmware?

This is the key used by EFI secure boot. We don't change the semantics
in any way.
(yes, the key can be provided by the machine owner and stored in
firmware, please see EFI specs for information)


More information about the systemd-devel mailing list