On Tue, 2013-08-13 at 23:38 +0200, Cyril Brulebois wrote: [...] > > 4. The kernel team may also need to upload kernel images for signing and > > add linux-image-signed packages with the Debian-signed kernel images. > > This is because some quirks in the kernel should be run before calling > > ExitBootServices(). > > (Sorry, I'm new to all this) do you mean (1) the regular linux image > packages are getting a signature added, and we're using those like we do > today, or (2) that we'll have additional linux image packages with the > signatures to be used instead of the usual linux image packages when a > Secure Boot environment is detected? (or (3) something else…) [...] Signing of EFI executables (aside from MS signature on shim) would be done by dak and would require manual intervention from the FTP team. Editing of binary packages is icky, so that's not part of the plan. Instead, after dak signs an executable, the package maintainer downloads and copies those into a separate 'source' package, which has a trivial debian/rules. (And of course will generate an appropriate 'Built-Using' header.) I suppose GRUB's Linux configuration generator will also need to prefer a signed vmlinuz (whatever name it gets) to the unsigned version. Ben. -- Ben Hutchings Any smoothly functioning technology is indistinguishable from a rigged demo.
Description: This is a digitally signed message part