On Thu, 2014-08-14 at 23:38 +0200, Cyril Brulebois wrote: [...] > > 1. Colin Watson will prepare dak changes to support upload and > > subsequent signing of EFI executables. (This is an embedded, not > > detached, signature.) > > > > 2. Steve Langasek will prepare and upload a package of the 'shim' EFI > > boot loader. This will embed our own set of public keys > > (corresponding to those used by dak) and can load any other EFI > > executable signed by one of them. Later, there will be a shim-signed > > package containing the same executable with a Microsoft signature. > > (This costs money and takes several days, but shim should require only > > very infrequent changes.) > > > > 3. Colin Watson will update the GRUB package to build a to-be-signed > > monolithic EFI executable separate from the package. Then he will add > > a grub-signed package that includes the Debian-signed executable from > > the archive. This executable would be suitable for use on both > > removable media and the installed system. > > > > 4. The kernel team may also need to upload kernel images for signing > > and add linux-image-signed packages with the Debian-signed kernel > > images. This is because some quirks in the kernel should be run > > before calling ExitBootServices(). > > could you please tell us whether anything changed during the past year? > Is there any chance we could think of having SB in jessie, or should we > consider it an unreasonable goal for this release and concentrate on > other things? So far as I know, no progress has been made on the above steps or any alternate approach. Ben. -- Ben Hutchings Anthony's Law of Force: Don't force it, get a larger hammer.
Description: This is a digitally signed message part