[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Where are we with SB? What's missing?

Steve McIntyre writes:
> On Tue, Nov 27, 2018 at 08:50:16PM +0100, Bastian Blank wrote:
>>On Wed, Oct 31, 2018 at 03:39:01AM +0000, Ben Hutchings wrote:
>>> > OK. What's needed? Is this a blocker for us pre-Buster?
>>> No, it's not a blocker.
>>So we don't have any blockers.  What do we need to do for switching to
>>the production key?
> AFAICS now we need ftpmaster to turn this on. Luke/Ansgar - can we get
> an ETA please? Buster freeze is getting awfully close...

I think I have to give up on getting the secure boot service to run
properly unattended before that; but that can still happen later.
People might have to ping ftp-master when something needs to be signed
for a while.

Do any packages we sign (fwupd, fwupdate, grub2, linux) have hardcoded
keys they trust?  linux has one (the trusted key for signing modules).
Are there any other keys that need to be switched for production?

Have we tested that grub2 and linux do not allow loading unsigned
kernels / modules? (AFAIK yes, but let's make sure.)

Do fwupd, fwupdate have anything we need to test?  Do they allow loading
extensions or anything else that allows running arbitrary code?

Anything else we need to check?


Reply to: