[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Long] UEFI support

On Mon, Jan 09, 2012 at 04:29:12PM +0000, Tanguy Ortolo wrote:
> Wookey, 2012-01-09 15:04+0100:
> > I assume evyone here is aware of mjg's useful posts about the issue of
> > key-management in UEFI secure boot?
> > 
> > We need to do one of:
> > 
> > * get our bootloaders signed by something like the 'linuxfoundation key'
> > if such a thing gets widely installed, 
> > * explain to users how to get the 'debian key' installed
> > * explain to users how to turn off secure boot.
> > * Get manufacturers to put the Debian key in machines for sale (or
> >  just make them with Debian(or a deriviative) pre-installed.
> Just as a reminder, we must be aware that GRUB images are generated
> locally on each host. Thus every user would have to have the secret key
> to sign their boot loader image.

Hmm, I might misunderstand this, but wouldn't just the grub binary need
to be signed? And this binary then would parse the grub.cfg file and
allow various kernels to boot.


Reply to: