On Tue, 2018-10-30 at 01:26 +0000, Steve McIntyre wrote: > On Fri, Oct 12, 2018 at 02:05:53AM +0100, Ben Hutchings wrote: > > On Thu, 2018-10-11 at 16:58 +0100, Steve McIntyre wrote: > > > On Sat, Oct 06, 2018 at 01:33:36PM +0200, Ansgar Burchardt wrote: > > [...] > > > > There are still two things I would like to look at: > > > > > > > > Ben suggested adding an entry to the signing request to make sure we do > > > > never create a trust chain from the production key to any non- > > > > production key[1]. Though I wonder if the kernel really needs to have > > > > an embedded key at all? On Ubuntu it seems to use the same set of keys > > > > already trusted by UEFI (including those enrolled by users). This way > > > > DKMS modules can be signed by end users (after creating and enrolling a > > > > local signing key). > > > > > > Pass. Ben? > > > > We don't currently have support for this in the kernel as it never > > landed upstream. I think we should add it if it's being maintained. > > OK. What's needed? Is this a blocker for us pre-Buster? No, it's not a blocker. Without this, people using out-of-tree modules will still have to disable Secure Boot, the same as now. The modules will also have the "unsigned" taint flag, but they already have the "out-of-tree" taint flag. So these users should be no worse off than they are now. Ben. -- Ben Hutchings Absolutum obsoletum. (If it works, it's out of date.) - Stafford Beer
Attachment:
signature.asc
Description: This is a digitally signed message part