On Fri, 2016-04-01 at 14:35 +0100, Steve McIntyre wrote: [...] > So, can we have updates on anything that people have achieved so far > please? Tollef told me that he's got somewhere with the Yubikey, so > hopefully we can get going using that base? Your message prompted me to get on with the linux package changes. In my local branch I've enable the option to check module signatures and have applied Matthew Garrett's securelevel patches that disable various means to modify kernel code, other than loading signed modules, when Secure Boot is used. I haven't yet applied the changes to support OOT modules under SB by importing trusted keys from variables set by shim. (None of those patches are upstream, sadly.) Initially I'll be using my own key pair for this and (presumably) QEMU+OVMF to test. As we want to provide reproducible *and* signed builds, kmod will need to be changed to support either separate filenames for signed modules, or detached signatures. I implemented the latter some months back but didn't have the other pieces to test with so haven't sent the patch anywhere yet. The linux-signed package from Ubuntu is not useful for us, as it does not cover module signatures. I only have a skeleton of this so far but I'll get to work on it shortly. ...and the linux package has now built on amd64 with those changes. Ben. -- Ben Hutchings The two most common things in the universe are hydrogen and stupidity.
Attachment:
signature.asc
Description: This is a digitally signed message part