[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Where are we with SB? What's missing?



On Tue, 2018-10-30 at 01:26 +0000, Steve McIntyre wrote:
> On Fri, Oct 12, 2018 at 02:05:53AM +0100, Ben Hutchings wrote:
> > On Thu, 2018-10-11 at 16:58 +0100, Steve McIntyre wrote:
> > > On Sat, Oct 06, 2018 at 01:33:36PM +0200, Ansgar Burchardt wrote:
> > [...]
> > > > There are still two things I would like to look at:
> > > > 
> > > > Ben suggested adding an entry to the signing request to make sure we do
> > > > never create a trust chain from the production key to any non-
> > > > production key[1].  Though I wonder if the kernel really needs to have
> > > > an embedded key at all?  On Ubuntu it seems to use the same set of keys
> > > > already trusted by UEFI (including those enrolled by users).  This way
> > > > DKMS modules can be signed by end users (after creating and enrolling a
> > > > local signing key).
> > > 
> > > Pass. Ben?
> > 
> > We don't currently have support for this in the kernel as it never
> > landed upstream.  I think we should add it if it's being maintained.
> 
> OK. What's needed? Is this a blocker for us pre-Buster?

No, it's not a blocker.

Without this, people using out-of-tree modules will still have to
disable Secure Boot, the same as now.  The modules will also have the
"unsigned" taint flag, but they already have the "out-of-tree" taint
flag.  So these users should be no worse off than they are now.

Ben.

-- 
Ben Hutchings
Absolutum obsoletum. (If it works, it's out of date.) - Stafford Beer


Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: