Add option to skip signing the unified efi image

andreyv / sbupdate

Generate and sign kernel images for UEFI Secure Boot on Arch Linux

GNU General Public License v3.0

225 stars 20 forks source link

Add option to skip signing the unified efi image #46

Closed osimarr closed 2 years ago

osimarr commented 3 years ago

sbupdate is not only a helper to sign the efi image, but also to manage and compose the unified kernel image. Systems that doesn't support secure boot can still benefit from it. This patch adds a config option to skip efi signature.

Signed-off-by: David Cohen dacohen@pm.me

Maryse47 commented 3 years ago

Out of curiosity: what are the benefits of unified kernel image without signature? Possibility of /boot encryption?

osimarr commented 3 years ago

Out of curiosity: what are the benefits of unified kernel image without signature? Possibility of /boot encryption?

Boot encryption is my main reason. I use systemd-boot and don't need to create the extra efi/boot partition.

andreyv commented 2 years ago

Hi,

Image signing is the main task of sbupdate, so I think this feature is out of scope.

If you want to boot the kernel as an UEFI executable, you can use EFISTUB.

andreyv commented 2 years ago

Use mkinitcpio --uefi to create UEFI images without signing.