docs: clarify difference between kernel stub and sd-stub in UEFI doc

author Luca Boccassi <bluca@debian.org>

Tue, 10 Oct 2023 22:08:23 +0000 (23:08 +0100)

committer Luca Boccassi <luca.boccassi@gmail.com>

Wed, 11 Oct 2023 09:33:38 +0000 (10:33 +0100)
author Luca Boccassi <bluca@debian.org>
Tue, 10 Oct 2023 22:08:23 +0000 (23:08 +0100)
committer Luca Boccassi <luca.boccassi@gmail.com>
Wed, 11 Oct 2023 09:33:38 +0000 (10:33 +0100)
diff --git a/src/boot/efi/UEFI_SECURITY.md b/src/boot/efi/UEFI_SECURITY.md

index 301104bd10cc9c9e170b9dbff01caf971d73ce13..9f750d8e6be8249637a1193ea75bb6aafbd4a1fd 100644 (file)
--- a/src/boot/efi/UEFI_SECURITY.md
+++ b/src/boot/efi/UEFI_SECURITY.md
@@ -4,6 +4,13 @@ PE binary, adding various features, `systemd-stub`. These components fully suppo
  this document will describe their security posture and how they comply with industry-standard expectations
  for UEFI SecureBoot workflows.
  
+Note that `systemd-stub` is not the same, or an alternative, to the Linux kernel's own EFI stub. The kernel
+stub's role is that of the fundamental entrypoint to kernel execution from UEFI mode, implementing the
+modern Linux boot protocol. `systemd-stub` on the other hand loads various resources, including the kernel
+image, via the EFI LoadImage/StartImage protocol (although it does support the legacy Linux boot protocol,
+as a fallback for older kernels on x86). The purpose of `systemd-stub` is to provide additional features and
+functionality for either or both `systemd-boot` and `systemd` (userspace).
+
  ## Fundamental Security Design Goals
  The fundamental security design goals for these components are separation of security policy logic from the
  rest of the functionality, achieved by offloading security-critical tasks to the firmware or earlier stages
author	Luca Boccassi <bluca@debian.org>
	Tue, 10 Oct 2023 22:08:23 +0000 (23:08 +0100)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 11 Oct 2023 09:33:38 +0000 (10:33 +0100)