RE: Where are we with SB? What's missing?
> -----Original Message-----
> From: Ansgar Burchardt <ansgar@43-1.org>
> Sent: Tuesday, December 4, 2018 2:34 PM
> To: Steve McIntyre
> Cc: Bastian Blank; debian-efi@lists.debian.org; Luke Faraone
> Subject: Re: Where are we with SB? What's missing?
>
>
> [EXTERNAL EMAIL]
>
> Steve McIntyre writes:
> > On Tue, Nov 27, 2018 at 08:50:16PM +0100, Bastian Blank wrote:
> >>On Wed, Oct 31, 2018 at 03:39:01AM +0000, Ben Hutchings wrote:
> >>> > OK. What's needed? Is this a blocker for us pre-Buster?
> >>> No, it's not a blocker.
> >>
> >>So we don't have any blockers. What do we need to do for switching to
> >>the production key?
> >
> > AFAICS now we need ftpmaster to turn this on. Luke/Ansgar - can we get
> > an ETA please? Buster freeze is getting awfully close...
>
> I think I have to give up on getting the secure boot service to run
> properly unattended before that; but that can still happen later.
> People might have to ping ftp-master when something needs to be signed
> for a while.
>
> Do any packages we sign (fwupd, fwupdate, grub2, linux) have hardcoded
> keys they trust? linux has one (the trusted key for signing modules).
> Are there any other keys that need to be switched for production?
>
> Have we tested that grub2 and linux do not allow loading unsigned
> kernels / modules? (AFAIK yes, but let's make sure.)
>
> Do fwupd, fwupdate have anything we need to test? Do they allow loading
> extensions or anything else that allows running arbitrary code?
No they do not have hardcoded keys or extensions for running arbitrary code.
I think that someone with a supported Dell or Lenovo laptop can perform an upgrade
from LVFS and that should be sufficient.
>
> Anything else we need to check?
>
> Ansgar
Reply to: