[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Secure Boot - the plan for stretch

On Tue, 2016-04-19 at 22:08 +0200, Tollef Fog Heen wrote:
> ]] Steve McIntyre 
> > 
> > This needs an RSA 2048 key. The process: we generate the key and the
> > self-signed certificate of the correct form, which is embedded in the
> > shim package that is then submitted to Microsoft. The signing request
> > requires obtaining an EV code-signing cert, and then this has to be
> > uploaded via Windows to Microsoft.
> > 
> > Tollef was organising an HSM (Yubikey $thing) to make this more
> > secure. Exact details on key management are yet TBD - we had
> > discussions about an N-of-M keyholder scheme similar-ish to what
> > Ubuntu do.
> I've now gotten to the point of actually being able to sign binaries,
> with the key stored on a yubikey, so that's pretty promising.

Which kind of Yubikey are you using?  I have a Yubikey NEO, so if that
works the same way and you can provide instructions then I can update
the linux-signed signing script to work with them.


Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
                      - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: