Re: Updating shim for buster
On Mon, Feb 11, 2019 at 10:05:20AM +0000, Luca Boccassi wrote:
>On Sun, 2019-02-10 at 21:52 -0800, Steve Langasek wrote:
>> On Mon, Feb 11, 2019 at 01:06:58AM +0000, Steve McIntyre wrote:
>> >
>> > Just one tiny thing missing that I was hoping for: add i386 to the
>> > arch list. We're wanting to get shim signed for all of amd64, arm64
>> > and i386 for Buster.
>>
>> Ok, -2 uploaded with i386 enabled. Cheers!
>
>Hello Steve,
>
>Thank you very much for your work!
>
>One question: last year Philipp did some work to have the shim source
>package build the templates required to make it work with our new
>signing infrastructure:
>
>https://salsa.debian.org/pmhahn/shim
>
>Instead of using the ephemeral, build-time generated key to sign FB and
>MoK, that allows to sign them using our CA.
>Among other things, this allows the build to be reproducible - which is
>an important aspect in my opinion, especially for a security-critical
>component like shim.
>
>What are your (and other folks on the list's) thoughts on this?
Ah, very good point - I'd thought about the signing setup and
mistakenly only considered the shim binary itself, which of course we
don't sign ourselves.
This is another piece that would be good to have. Steve - could you
look at this too please?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Because heaters aren't purple!" -- Catherine Pitt
Reply to: