Re: EFI in Debian
Ben Hutchings <email@example.com> writes:
> 2. Upstream kernel support: when booted in Secure Boot mode, Linux would
> only load signed kernel modules and disable the various debug interfaces
> that allow code injection. I'm aware that David Howells, Matthew
> Garrett and others are working on this.
That makes dkms modules unusable when using secure boot. I guess we
would have to build binary packages for all supported kernel versions?
> 5. Key management policy. Similar issues to archive signing keys, but
> these keys also need to be available at build time. (a) Should they be
> held by package maintainers and/or the auto-builders for the relevant
> architectures? (b) sbuild and/or pbuilder will need to know how to
> inject them into the build environment for the relevant packages. (c)
> How do we handle key replacement when exploitable code needs to be
Do these need to be available when building the kernel packages or would
it be possible to have the signatures in a separate package? The latter
would allow moving the signing off the auto-builders and having either
a human maintainer or a dedicated system do so instead (so the
auto-builders would not need access to the keys). It would also allow
signing modules provided in the maintainer upload.