[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EFI in Debian

Hi,

Ben Hutchings <ben@decadent.org.uk> writes:
> 2. Upstream kernel support: when booted in Secure Boot mode, Linux would
> only load signed kernel modules and disable the various debug interfaces
> that allow code injection.  I'm aware that David Howells, Matthew
> Garrett and others are working on this.

That makes dkms modules unusable when using secure boot.  I guess we
would have to build binary packages for all supported kernel versions?

> 5. Key management policy.  Similar issues to archive signing keys, but
> these keys also need to be available at build time.  (a) Should they be
> held by package maintainers and/or the auto-builders for the relevant
> architectures?  (b) sbuild and/or pbuilder will need to know how to
> inject them into the build environment for the relevant packages.  (c)
> How do we handle key replacement when exploitable code needs to be
> blacklisted?

Do these need to be available when building the kernel packages or would
it be possible to have the signatures in a separate package?  The latter
would allow moving the signing off the auto-builders and having either
a human maintainer or a dedicated system do so instead (so the
auto-builders would not need access to the keys).  It would also allow
signing modules provided in the maintainer upload.

Ansgar
Reply to: