Re: Where are we with SB? What's missing?
On Fri, Oct 12, 2018 at 02:05:53AM +0100, Ben Hutchings wrote:
>On Thu, 2018-10-11 at 16:58 +0100, Steve McIntyre wrote:
>> On Sat, Oct 06, 2018 at 01:33:36PM +0200, Ansgar Burchardt wrote:
>> > There are still two things I would like to look at:
>> > Ben suggested adding an entry to the signing request to make sure we do
>> > never create a trust chain from the production key to any non-
>> > production key. Though I wonder if the kernel really needs to have
>> > an embedded key at all? On Ubuntu it seems to use the same set of keys
>> > already trusted by UEFI (including those enrolled by users). This way
>> > DKMS modules can be signed by end users (after creating and enrolling a
>> > local signing key).
>> Pass. Ben?
>We don't currently have support for this in the kernel as it never
>landed upstream. I think we should add it if it's being maintained.
OK. What's needed? Is this a blocker for us pre-Buster?
Steve McIntyre, Cambridge, UK. firstname.lastname@example.org
"I suspect most samba developers are already technically insane... Of
course, since many of them are Australians, you can't tell." -- Linus Torvalds