Hi everyone,

the following patch intends to close a loophole in the secureboot boot chain.

By default, Debian Buster's initramfs drops the user to an interactive debug
shell in case of a severe error (e.g. rootfs cannot be mounted). This is
essentially a root shell and can be abused to tamper with the system.

This feature can be disabled by appending panic=0 to the kernel cmdline.

Kind regards,
Michael


Michael Adler (1):
  Secureboot: Disable initramfs debug shell

 wic/qemu-amd64-efibootguard-secureboot.wks | 2 ++
 wic/qemu-amd64-efibootguard.wks            | 2 ++
 wic/simatic-ipc227e-efibootguard.wks       | 2 ++
 wic/swupdate-partition.inc                 | 2 --
 4 files changed, 6 insertions(+), 2 deletions(-)

-- 
2.31.0