[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Where are we with SB? What's missing?

On Fri, Oct 12, 2018 at 02:05:53AM +0100, Ben Hutchings wrote:
>On Thu, 2018-10-11 at 16:58 +0100, Steve McIntyre wrote:
>> On Sat, Oct 06, 2018 at 01:33:36PM +0200, Ansgar Burchardt wrote:
>[...]
>> > There are still two things I would like to look at:
>> > 
>> > Ben suggested adding an entry to the signing request to make sure we do
>> > never create a trust chain from the production key to any non-
>> > production key[1].  Though I wonder if the kernel really needs to have
>> > an embedded key at all?  On Ubuntu it seems to use the same set of keys
>> > already trusted by UEFI (including those enrolled by users).  This way
>> > DKMS modules can be signed by end users (after creating and enrolling a
>> > local signing key).
>> 
>> Pass. Ben?
>
>We don't currently have support for this in the kernel as it never
>landed upstream.  I think we should add it if it's being maintained.

OK. What's needed? Is this a blocker for us pre-Buster?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I suspect most samba developers are already technically insane... Of
 course, since many of them are Australians, you can't tell." -- Linus Torvalds
Reply to: