[systemd-devel] Prevent firmware from falling back to next EFI boot option on secure boot failure?

Daniel Harms jdharms at gmail.com
Mon Nov 28 14:29:35 UTC 2022


Wanted to follow up on this--was away from my desk because of holidays
in the US.  I did open an issue on github:
https://github.com/systemd/systemd/issues/25548

Thank you for your help here, Lennart.

Thanks,

--Daniel

On Wed, Nov 23, 2022 at 12:32 PM Lennart Poettering
<lennart at poettering.net> wrote:
>
> On Mi, 23.11.22 17:56, Lennart Poettering (lennart at poettering.net) wrote:
>
> > > If this is a bug, I'd be willing to attempt a pull request submission
> > > if a suggested fix is given.  Overall we like the functionality
> > > sd-boot provides and the integration with systemd, but this is likely
> > > a hard requirement for our use case.
> >
> > Yes please file an issue on github first, and this does sound a lot
> > like something we should fix, hence a PR that addresses this would be
> > more than welcome, too.
>
> BTW, I think we should treat an EFI binary like a system we can't boot
> as per the boot assessment logic. i.e. whenever we fail to invoke a
> binary (regardless if the reason is the security check or something
> else), then we should count down it's counters, and then stop using it
> once it hits zero.
>
> i.e. i think this should hook into the logic described in
> https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT
>
> Lennart
>
> --
> Lennart Poettering, Berlin


More information about the systemd-devel mailing list