[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Secure Boot - the plan for stretch

On Fri, 2016-04-01 at 14:35 +0100, Steve McIntyre wrote:
> So, can we have updates on anything that people have achieved so far
> please? Tollef told me that he's got somewhere with the Yubikey, so
> hopefully we can get going using that base?

Your message prompted me to get on with the linux package changes.
In my local branch I've enable the option to check module signatures
and have applied Matthew Garrett's securelevel patches that disable
various means to modify kernel code, other than loading signed modules,
when Secure Boot is used.  I haven't yet applied the changes to support
OOT modules under SB by importing trusted keys from variables set by
shim.  (None of those patches are upstream, sadly.)

Initially I'll be using my own key pair for this and (presumably)
QEMU+OVMF to test.

As we want to provide reproducible *and* signed builds, kmod will need
to be changed to support either separate filenames for signed modules,
or detached signatures.  I implemented the latter some months back but
didn't have the other pieces to test with so haven't sent the patch
anywhere yet.

The linux-signed package from Ubuntu is not useful for us, as it does
not cover module signatures.  I only have a skeleton of this so far but
I'll get to work on it shortly.

...and the linux package has now built on amd64 with those changes.


Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: