Re: Where are we with SB? What's missing?
On Wed, 2018-12-05 at 03:40 +0000, Ben Hutchings wrote:
> On Tue, 2018-12-04 at 23:42 +0000, Steve McIntyre wrote:
> > > Have we tested that grub2 and linux do not allow loading unsigned
> > > kernels / modules? (AFAIK yes, but let's make sure.)
> > It's definitely worth making sure, yes.
> I haven't tested this recently in linux.
> Is it practicable to add and check the trust information I proposed at
> <https://wiki.debian.org/SecureBoot#Describing_the_trust_chain>;? (This
> would need to be added to all template packages.)
As far as I understand this would contain one key for linux and an
empty list for all other packages for now?
Addig that check to the code signing service shouldn't be too hard; it
can be improved later. (I would like to be able to use different keys
eventually for key rollover or non-production keys for testing new