Shell Makefile
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
debian
initramfs/post-update.d
kernel
tests
.gitignore
Makefile
README.md
shippable.yml
sicherboot
sicherboot.8.md
sicherboot.conf.in

README.md

systemd Secure boot integration

sicher*boot automatically installs systemd-boot and kernels for it into the ESP, signed with keys generated by it.

Run Status

SECURITY

The signing keys are stored unencrypted and only protected by the file system permissions. Thus, you should make sure that the file system they are stored (usually /etc) in is encrypted.

Setup

After installing sicherboot, you can adjust a number of settings in /etc/sicherboot.conf and should set a kernel commandline in /etc/kernel/cmdline.

Then run

sicherboot setup

to get started.

Limitations

  • Kernels and initramfs images must be named /boot/vmlinuz-<ver> and /boot/initrd.img-<ver>
  • Only a single ESP is supported.

Integrating with your package management

You want to run:

  • sicherboot bootctl update
    • whenever systemd is upgraded or installed
  • sicherboot install-kernel <ver>
    • when the kernel is installed and the initramfs was built
  • sicherboot remove-kernel <ver>
    • when the kernel shall be removed

As an example, kernel and initramfs contain integration with /etc/kernel and initramfs-tools. Install one of the kernel postinst.d scripts - the dracut one exists for dracut systems as a work around for dracut not supporting hooks.