What are we thinking?
1 Like
We don’t currently have any plans to implement that by default but you can certainly do that on your system.
The instructions are here:
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Fully_automated_unified_kernel_generation_and_signing_with_sbupdate
Oh, I know you can setup UKI, secure boot and TPM yourself. I thought this was more of an unified project, perhaps I misunderstood? 
If you want to understand and setup the trusted boot: “Secure boot + TPM + LUKS”, see HowTo that is for any Arch based distros. but I’m not a fan of it.
What does a random article on the internet have to do with EndeavourOS?
The problem ATM is there isn’t really any way to verify the system from boot til user space. The closest you can get is full disk encryption with a signed UKI containing a signed kernel and signing the bootloader.
I think if you’re looking to have a fully verified system it’ll have to work like Android. Youll need signed kernel, initramfs, bootloader, etc with the filesystem also verified. It’ll require an immutable system like silver blue using verity because I don’t see a realistic way to accomplish it on most linux distros.
I’m all for the possibility of being able to have a trustable and verifiable system but its a bit away still for linux
2 Likes
I thought posts in this category didn’t have to be about EndeavourOS; sorry if I am mistaken.
Also, I don’t think this is a random article, as its writer is the creator of systemd. I would expect more corporate-based (?) distros like Ubuntu and Fedora to implement this when it is ready. So I wanted to ask for the community’s opinion.
1 Like
People get really aggressive any time Lennart Poettering is discussed.
He has different ideas from many in regards to linux on top of the linux community being frequently anti change to the point of some threatening death.
While the EOS community is generally pretty open/diverse, don’t be surprised when LP is involved if things get rough.
1 Like