Re: [Long] UEFI support
On Mon, Jan 09, 2012 at 04:29:12PM +0000, Tanguy Ortolo wrote:
> Wookey, 2012-01-09 15:04+0100:
> > I assume evyone here is aware of mjg's useful posts about the issue of
> > key-management in UEFI secure boot?
> > We need to do one of:
> > * get our bootloaders signed by something like the 'linuxfoundation key'
> > if such a thing gets widely installed,
> > * explain to users how to get the 'debian key' installed
> > * explain to users how to turn off secure boot.
> > * Get manufacturers to put the Debian key in machines for sale (or
> > just make them with Debian(or a deriviative) pre-installed.
> Just as a reminder, we must be aware that GRUB images are generated
> locally on each host. Thus every user would have to have the secret key
> to sign their boot loader image.
Hmm, I might misunderstand this, but wouldn't just the grub binary need
to be signed? And this binary then would parse the grub.cfg file and
allow various kernels to boot.