Re: UEFI Secure Boot - the plan for stretch
On Sun, Apr 03, 2016 at 01:51:38PM +0100, Ben Hutchings wrote:
>On Fri, 2016-04-01 at 14:35 +0100, Steve McIntyre wrote:
>> So, can we have updates on anything that people have achieved so far
>> please? Tollef told me that he's got somewhere with the Yubikey, so
>> hopefully we can get going using that base?
>Your message prompted me to get on with the linux package changes.
>In my local branch I've enable the option to check module signatures
>and have applied Matthew Garrett's securelevel patches that disable
>various means to modify kernel code, other than loading signed modules,
>when Secure Boot is used. I haven't yet applied the changes to support
>OOT modules under SB by importing trusted keys from variables set by
>shim. (None of those patches are upstream, sadly.)
>Initially I'll be using my own key pair for this and (presumably)
>QEMU+OVMF to test.
>As we want to provide reproducible *and* signed builds, kmod will need
>to be changed to support either separate filenames for signed modules,
>or detached signatures. I implemented the latter some months back but
>didn't have the other pieces to test with so haven't sent the patch
>The linux-signed package from Ubuntu is not useful for us, as it does
>not cover module signatures. I only have a skeleton of this so far but
>I'll get to work on it shortly.
>...and the linux package has now built on amd64 with those changes.
Steve McIntyre, Cambridge, UK. email@example.com
"I used to be the first kid on the block wanting a cranial implant,
now I want to be the first with a cranial firewall. " -- Charlie Stross