Re: Updated Secure Boot docs in the wiki

To: Steve McIntyre <steve@einval.com>, debian-efi@lists.debian.org
Subject: Re: Updated Secure Boot docs in the wiki
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 31 Mar 2019 12:05:02 +0100
Message-id: <[🔎] 1554030302.5799.2.camel@debian.org>
In-reply-to: <[🔎] 20190331061828.GB25446@tack.einval.com>
References: <[🔎] 20190331061828.GB25446@tack.einval.com>

On Sun, 2019-03-31 at 07:18 +0100, Steve McIntyre wrote:
> Hey folks,
> 
> I've extended and updated Lucas' initial SB page:
> 
>   https://wiki.debian.org/SecureBoot
> 
> to cover a lot more user-facing stuff. Please review...

Hi,

That looks great, thanks!

Just one minor note:

"This will block out-of-tree modules and DKMS-managed drivers like
binary !NVidia graphics drivers. Again, you will need to disable SB or
use and enrol your own key to make things work."

AFAIK enrolling own key for kernel modules does not work in Debian as
of now, as the kernel does not import keys from DB/MOK into the keyring
at boot, so only keys embedded at the kernel's build time are used to
validate modules.

There's a patch to enabled that feature shipped in Ubuntu/RHEL, and
IIRC something was proposed upstream but as of now nothing is merged:

https://lkml.org/lkml/2016/11/16/527
https://lkml.org/lkml/2018/2/28/1089

(I think Ubuntu/RHEL carry patches from the former set to enable this
feature)

-- 
Kind regards,
Luca Boccassi

Reply to:

References:
- Updated Secure Boot docs in the wiki
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Updated Secure Boot docs in the wiki
Next by Date: Re: Updated Secure Boot docs in the wiki
Previous by thread: Updated Secure Boot docs in the wiki
Next by thread: Re: Updated Secure Boot docs in the wiki
Index(es):
- Date
- Thread