[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure boot signing infrastructure - feedback request


On 2017-10-05 02:57 PM, Helen Koike wrote:
> Hello all,
> As you probably already know, Debian doesn't support the Secure Boot
> chain yet.
> To support it we need to sign Grub and the Kernel with our key, so we
> are discussing the best infrastructure for this workflow.
> The first approach we had was to add a by-hand script in Dak as
> described here
> https://wiki.debian.org/SecureBoot#First_option:_by-hand_script_in_dak
> But this option wasn't well received by the ftpteam
> The second approach we have is to add some debhelper scripts (e.g
> dh_sign...) that will access a signing service which will sign the
> binaries with Debian's key.  We would use the dh_sign... helpers when
> making an extra binary package. buildd would then publish the -signed
> version of the package in the archives.
> Please see a more detailed explanation here
> https://wiki.debian.org/SecureBoot#Second_option:_use_buildd_.2B-_debhelper_instead_of_dak
> A current known issue with this approach is the NEW queue: it requires
> the maintainer to also upload binaries for an architecture on first
> upload, and these binaries are not rebuilt by the buildd ( see
> https://wiki.debian.org/SecureBoot#Issues ).
> I would like to know everyone's opinions about these approaches, if you
> agree to go forward with the second approach described above and how do
> we solve the NEW queue policy issue.
> Thanks
> Helen Koike
> _______________________________________________
> Pkg-grub-devel mailing list
> Pkg-grub-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grub-devel

Reply to: