[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian MS Secure Boot and derivatives Aug 2018 status


Am 15.08.2018 um 22:37 schrieb adrian15:
> Steve McIntyre said on the 2015 MiniDebconfCambridge that derivatives
> could gather from Debian asking Microsoft to sign/authorize Debian's
> shim for Secure Boot.
> Something like, If you take grub and kernel packages from Debian your
> Debian derivative will support Secure Boot.
> Here it is:
> https://mirror.netcologne.de/debian-video/2015/mini-debconf-cambridge/webm/uefi_and_debian_next_steps.webm
>  ( 39:05 )
> I have recently watched the Debconf18 talk about UEFI and I remember
> something like these packages being affected:
> shim, fwupd, grub2, kernel, "kernel modules", systemd-boot(?)
> BTW, I haved added "kernel modules" because Ben Hutchings mentioned. I
> guess that 'kernel' in that slide meant: Most every binary package built
> from kernel source package.
> And here it is:
> https://mirror.netcologne.de/debian-video/2018/DebConf18/2018-07-31/report-from-the-debian-efi-team-about-th.webm
> (25:09)
> So I just want to be sure if an statement like:
> "If you recycle original shim, fwupd, grub, kernel and "kernel modules",
> systemd-boot(?) signed packages from official Debian your derivative
> will support Secure Boot"
> is still true nowadays.

You have to take the complete chain from Debian, that is "shim" + "grub"
+ "linux-kenrel" (and its modules). That chain is signed.
What comes after that you're free to change, starting with the content
of the Initial RAM disk, init system, services, ...

At least that is the plan, which still looks true.


Reply to: