[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Secure boot signing infrastructure - feedback request

Hello all,

As you probably already know, Debian doesn't support the Secure Boot
chain yet.
To support it we need to sign Grub and the Kernel with our key, so we
are discussing the best infrastructure for this workflow.

The first approach we had was to add a by-hand script in Dak as
described here
But this option wasn't well received by the ftpteam

The second approach we have is to add some debhelper scripts (e.g
dh_sign...) that will access a signing service which will sign the
binaries with Debian's key.  We would use the dh_sign... helpers when
making an extra binary package. buildd would then publish the -signed
version of the package in the archives.
Please see a more detailed explanation here
A current known issue with this approach is the NEW queue: it requires
the maintainer to also upload binaries for an architecture on first
upload, and these binaries are not rebuilt by the buildd ( see
https://wiki.debian.org/SecureBoot#Issues ).

I would like to know everyone's opinions about these approaches, if you
agree to go forward with the second approach described above and how do
we solve the NEW queue policy issue.

Helen Koike

Reply to: