[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Long] UEFI support

On Mon, Jan 09, 2012 at 04:29:12PM +0000, Tanguy Ortolo wrote:
> Wookey, 2012-01-09 15:04+0100:
> > I assume evyone here is aware of mjg's useful posts about the issue of
> > key-management in UEFI secure boot?
> > 
> > We need to do one of:
> > 
> > * get our bootloaders signed by something like the 'linuxfoundation key'
> > if such a thing gets widely installed, 
> > * explain to users how to get the 'debian key' installed
> > * explain to users how to turn off secure boot.
> > * Get manufacturers to put the Debian key in machines for sale (or
> >  just make them with Debian(or a deriviative) pre-installed.
> 
> Just as a reminder, we must be aware that GRUB images are generated
> locally on each host. Thus every user would have to have the secret key
> to sign their boot loader image.

Hmm, I might misunderstand this, but wouldn't just the grub binary need
to be signed? And this binary then would parse the grub.cfg file and
allow various kernels to boot.

regards,
iustin
Reply to: