[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Plan of action for Secure Boot support

On Thu, 2014-08-14 at 23:38 +0200, Cyril Brulebois wrote:
> > 1. Colin Watson will prepare dak changes to support upload and
> > subsequent signing of EFI executables.  (This is an embedded, not
> > detached, signature.)
> > 
> > 2. Steve Langasek will prepare and upload a package of the 'shim' EFI
> > boot loader.  This will embed our own set of public keys
> > (corresponding to those used by dak) and can load any other EFI
> > executable signed by one of them.  Later, there will be a shim-signed
> > package containing the same executable with a Microsoft signature.
> > (This costs money and takes several days, but shim should require only
> > very infrequent changes.)
> > 
> > 3. Colin Watson will update the GRUB package to build a to-be-signed
> > monolithic EFI executable separate from the package.  Then he will add
> > a grub-signed package that includes the Debian-signed executable from
> > the archive.  This executable would be suitable for use on both
> > removable media and the installed system.
> > 
> > 4. The kernel team may also need to upload kernel images for signing
> > and add linux-image-signed packages with the Debian-signed kernel
> > images.  This is because some quirks in the kernel should be run
> > before calling ExitBootServices().
> could you please tell us whether anything changed during the past year?
> Is there any chance we could think of having SB in jessie, or should we
> consider it an unreasonable goal for this release and concentrate on
> other things?

So far as I know, no progress has been made on the above steps or any
alternate approach.


Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: