diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-10-11 00:08:23 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-10-11 11:33:38 +0200 |
| commit | 86f99bdbe1f4d10474b17919c066ecd25671ba90 (patch) | |
| tree | 63c519b22f86942b691e48d9bd399b419de84280 /src/boot | |
| parent | Merge pull request #29427 from ddstreet/cryptenroll_specify_handle_index (diff) | |
| download | systemd-86f99bdbe1f4d10474b17919c066ecd25671ba90.tar.xz systemd-86f99bdbe1f4d10474b17919c066ecd25671ba90.zip | |
docs: clarify difference between kernel stub and sd-stub in UEFI doc
Diffstat (limited to 'src/boot')
| -rw-r--r-- | src/boot/efi/UEFI_SECURITY.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/boot/efi/UEFI_SECURITY.md b/src/boot/efi/UEFI_SECURITY.md index 301104bd10..9f750d8e6b 100644 --- a/src/boot/efi/UEFI_SECURITY.md +++ b/src/boot/efi/UEFI_SECURITY.md @@ -4,6 +4,13 @@ PE binary, adding various features, `systemd-stub`. These components fully suppo this document will describe their security posture and how they comply with industry-standard expectations for UEFI SecureBoot workflows. +Note that `systemd-stub` is not the same, or an alternative, to the Linux kernel's own EFI stub. The kernel +stub's role is that of the fundamental entrypoint to kernel execution from UEFI mode, implementing the +modern Linux boot protocol. `systemd-stub` on the other hand loads various resources, including the kernel +image, via the EFI LoadImage/StartImage protocol (although it does support the legacy Linux boot protocol, +as a fallback for older kernels on x86). The purpose of `systemd-stub` is to provide additional features and +functionality for either or both `systemd-boot` and `systemd` (userspace). + ## Fundamental Security Design Goals The fundamental security design goals for these components are separation of security policy logic from the rest of the functionality, achieved by offloading security-critical tasks to the firmware or earlier stages |