You are not logged in.
Hi.
As you know, systemd-boot with enabled editor is not secure because it allows to change kernel parameters. So most users disable it which is not convenient: sometimes you may need to change them to test something or for something else. So you need to edit entity configuration manually or temporarily enable editor.
I decided to modify it a little with password protection. Now every time you open the editor, boot manager will prompt you for password.
Password is stored as sha512 hash sum in loader.conf file:
password 09d07c5992ec79da5cc7dd6b…This behavior is similar to the way it's done in GRUB.
Of course it doesn't protect you from physical intervention to your disk or from not password-protected BIOS.
The installation method differs from familiar bootctl. Boot manager is installed with sbpctl bash script which simply copies binary to ESP directory:
# sbpctl install /boot/espAlso I've added a simple command to generate a hashsum from terminal — sbpctl generate.
You should also consider changing fmask to 0077 for ESP in /etc/fstab.
In 0.9.2.232 update from 2017-02-14 I've added some new features.
Now you can add all entries to loader.conf directly dividing them by empty line. And this file can be included to EFI binary as ".config" section so you can sign it for using with Secure Boot. Just place configuration file at /etc/sbp/loader.conf and install with --include command:
# sbpctl install --include /boot/esp"sbpctl standalone" can create a EFI application with included initramfs and Linux loader from systemd-boot stub. For example:
# sbpctl standalone /boot/initramfs-linux.img /boot/vmlinuz-linux /boot/esp/linux.efiThe "standalone" and "install" commands support automatic signing. You should place db.key and db.crt to /etc/sbp, install sbsigntools package and pass "--sign" command argument to sbpctl.
Source code: systemd-boot-password
AUR package: systemd-boot-password
I'm not good in low-level programming and cryptography, so I need your feedback for this.
Last edited by kitsunyan (2017-02-19 22:24:17)
Offline