[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Plan of action for Secure Boot support

On Tue, 2013-08-13 at 23:38 +0200, Cyril Brulebois wrote:
> > 4. The kernel team may also need to upload kernel images for signing and
> > add linux-image-signed packages with the Debian-signed kernel images.
> > This is because some quirks in the kernel should be run before calling
> > ExitBootServices().
> (Sorry, I'm new to all this) do you mean (1) the regular linux image
> packages are getting a signature added, and we're using those like we do
> today, or (2) that we'll have additional linux image packages with the
> signatures to be used instead of the usual linux image packages when a
> Secure Boot environment is detected? (or (3) something else…)

Signing of EFI executables (aside from MS signature on shim) would be
done by dak and would require manual intervention from the FTP team.

Editing of binary packages is icky, so that's not part of the plan.
Instead, after dak signs an executable, the package maintainer downloads
and copies those into a separate 'source' package, which has a trivial
debian/rules.  (And of course will generate an appropriate 'Built-Using'

I suppose GRUB's Linux configuration generator will also need to prefer
a signed vmlinuz (whatever name it gets) to the unsigned version.


Ben Hutchings
Any smoothly functioning technology is indistinguishable from a rigged demo.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: