OK and how does saying that help anyone?

@esmil Yep, it would be possible but overall it is more robust to pass it so I guess cmdline is actually in my case legit reason to use systemd-boot...

@cherti I don’t know, that’s why I’m asking.

In order to attest correctly it should:

1. Get CPU attestation packed into certificate periodically from the service.
2. Compare this certificate against Intel CA.

Please show where these steps are done because I’m interested…

Looking of surface better:

Extracting /EFI/BOOT/BOOTX64.EFI to tmp/EFI/BOOT/BOOTX64.EFI
Extracting /bzImage to tmp/bzImage
Extracting /LOADER/loader.conf to tmp/LOADER/loader.conf
Extracting /LOADER/ENTRIES/buildroot.conf to tmp/LOADER/ENTRIES/buildroot.conf

@esmil Thanks for your insights! Appreciate it.

@esmil I could actually do this without grub and without systemd-boot but I want to emulate the full stack for robustness sake. I.e. could just rename bzImage as BOOTx64.efi and place it correct location...

@esmil Yeah, in my case kernel-install is not useful because I build rootfs as part of the kernel build itself :-) But keeping the build as minimal as possible is good goal for sure.

@esmil I do have file systems in BuildRoot of which I do not want to get rid of :-) I.e. I have separate ESP and rootfs.

But dropping dependency from my build makes more sense.

BTW, grub-efi is just an EFI application so in that sense there is zero difference. It is more related to fatness of the stack.

And if you want just to boot a kernel without rootfs why you even would bother using systemd-boot? You can compile just as well EFI stub to the kernel image... So systemd-boot would be in such scenario useless cruft. Just rename bzImage as BOOTx64.efi and you're set. Linux *is* an EFI. application.

Anyway, I'll go with systemd-boot because I need to build less by doing that :-)

Right this tells me everything:

$ fatcat efi-part.vfat -x tmp 
Extracting /EFI/BOOT/BOOTX64.EFI to tmp/EFI/BOOT/BOOTX64.EFI
Extracting /bzImage to tmp/bzImage

I don’t know if there is any more modern tool for this but this is sometimes useful: https://github.com/Gregwar/fatcat

I'm re-formalizing my question because I could wrong too

Using any formation of #Signal App, is it possible to get #SGX #attestation of contact discovery back to the client and view the certificate, or how does it benefit the end user?

Or is from client possible to get this attestation using the raw protocol that the app uses?

Actually not yet too successful booting my #BuildRoot image with systemd-boot. With grub-efi I got to the login.

EDIT: I think I got it and it is pretty obvious. I’m still deploying GRUB style configs when I construct the disk image with genimage, so I just fix them up as systemd boot style configs (found a reference for that).

So I just follow along [1] and cross my fingers ;-) I think it is good exercise to build from scratch a systemd image from boot to user space in all cases.

[1] https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/

The summary of #systemd #spam of today:

1. I got it fully working for my #BuildRoot image build.
2. It boots with no errors.
3. Compilation time is still not much different than with #Busybox.
4. Uses now systemd-boot instead of GRUB (thanks @vathpela for comments).
5. Uses systemd version 254. Plan is to get into phase.
6. For BuildRoot, uses the master branch of: https://gitlab.com/jarkkojs/linux-tpmdd-test

I “systemd” re-initiated the history of my test repository: https://gitlab.com/jarkkojs/linux-tpmdd-test. From now on I commit on keeping a proper versions on this :-) It had no forks so far so I’m the only person who had consequences on that action.

@vathpela One pleasant surprise is that changing to systemd from busybox with stripped down configuration does not cause any significant increase to compilation time of the image. So I can stick to this configuration from now and improve it :-)

Also it is a huge benefit that I now generate a single img file that QEMU can host or I can burn it to USB stick and run tests on real hardware. So I guess I'm a happy systemd user then...

@vathpela Anyway, I think I switch to systemd-boot in my kernel testing environment based on "less dependencies" :-) I.e. measurable benefit for the use case.

@vathpela So, I'm now generating 2GB UEFI bootable image from BuildRoot recipes based on GRUB2. Previously based on busybox. So this is the context to be more specific. I don't care how my distribution works as long as I don't have to touch it :-)

I have no idea what "systemd-stub" even is (first time I'm hearing the word), but I guess in my use using systemd-boot could decrease the turn-over time in compilation by decreasing dependencies. I compile full operating system image from scratch when I do kernel development, not just kernel image, so decreasing that is already a benefit.

LOL, apparently this feature was merged already in 2015. Heard first time this year...

What is the advantage of systemd-boot over GRUB2? #systemd #grub #grub2

Right now I'm on systemd 254 but should not be hard to get in phase with latest release from this point forward.

Fully works!! Screenshot taken from my MacBook Pro ;-) QEMU running on my PC workstation:

Functionally of that tool looks great tho. I just wrote down quick analysis of TPM2 part here for me as a reminder ;-) It also does FIDO2 which is great.