PK/KEK for ovmf
hey,
I just uploaded a new edk2 package that adds secureboot-ready images
to the ovmf package, with Microsoft's key pre-baked. This required
adding a PK/KEK key. Upstream recommends that this be a special key
that is not in our normal signing chains, and where the private half
is never saved[1].
I generated one myself in what I believe to be a secure manner
(freshly installed, airgapped system, private key output to
/dev/null). But wanted to check - is there a more appropriate entity
within Debian that should be generating such a key?
[1] https://salsa.debian.org/qemu-team/edk2/blob/debian/debian/PkKek-1.README
Reply to: