Re: Bug#820036: No bug mentioning a Debian KEK and booting use it.
On Tue, Oct 18, 2016 at 07:52:13PM +0800, Paul Wise wrote:
>
> It was posted to bug #820036, which is tracking Debian support for
> secure boot. Peter was advocating quite correctly that as well as
> having our copy of shim (the first-stage bootloader on secure boot
> systems) signed by Microsoft, we should also have a copy signed by a
> Debian signing authority, so that users can theoretically choose to
> distrust the Microsoft key. IIRC, unfortunately in practice that is
> unlikely to be possible since various firmware blobs are only
> Microsoft-signed.
It's probably not possible for Debian to deal with this, but I could
imagine a user (perhaps someone who is using Debian for their entire
organization, etc.) who is willing to download firmware blobs from a
trusted source (e.g., directly from the vendor), and then verify the
Microsoft signature as a double check, and then resign it with their
own signing authority key.
To the extent that we could easily support this particular use case,
it might be a good thing. (I doubt Debian is going to want to get
into the business of verifying and then resigning firmware blobs.)
Cheers,
- Ted
Reply to: