[systemd-devel] How to factory reset?

Andrei Borzenkov arvidjaar at gmail.com
Thu Mar 12 06:41:57 PDT 2015


On Thu, Mar 12, 2015 at 4:24 PM, David Herrmann <dh.herrmann at gmail.com> wrote:
> Hi
>
> On Thu, Mar 12, 2015 at 2:06 PM, Andrei Borzenkov <arvidjaar at gmail.com> wrote:
>> On Thu, Mar 12, 2015 at 1:30 PM, David Herrmann <dh.herrmann at gmail.com> wrote:
>>>>> With systemd-boot, there will be no config to sign:
>>>>>   https://harald.hoyer.xyz/2015/02/25/single-uefi-executable-for-kernelinitrdcmdline/
>>>>>
>>>>
>>>> How exactly putting files in a container solves the problem that they
>>>> are not signed? This is not quite obvious from blog post.
>>>
>>> The config/etc. snippets are now part of the _signed_ EFI binary,
>>> which is always verified by the firmware. Therefore, we don't need to
>>> verify the other snippets separately.
>>
>> Where signing key comes from? Is this key generated by user on end
>> system and enrolled in firmware?
>
> This is the key used by EFI secure boot. We don't change the semantics
> in any way.
> (yes, the key can be provided by the machine owner and stored in
> firmware, please see EFI specs for information)
>

I know how secure boot works. You misunderstand the question.

initrd and cmdline are volatile and generated on end-user system. So
your container must be signed on end user system. End user obviously
does not have Microsoft or vendor private keys to sign your container,
so end user must manage own keys. Apparently, it is not quite as
simple, otherwise we would not need to invent shim in the first place.

So how do you envision signing of container in practice?


More information about the systemd-devel mailing list