PK/KEK for ovmf

To: debian-efi@lists.debian.org
Subject: PK/KEK for ovmf
From: dann frazier <dannf@dannf.org>
Date: Wed, 31 Jul 2019 16:12:56 -0600
Message-id: <[🔎] 20190731221256.GA21664@xps13.dannf>

hey,
  I just uploaded a new edk2 package that adds secureboot-ready images
to the ovmf package, with Microsoft's key pre-baked. This required
adding a PK/KEK key. Upstream recommends that this be a special key
that is not in our normal signing chains, and where the private half
is never saved[1].

I generated one myself in what I believe to be a secure manner
(freshly installed, airgapped system, private key output to
/dev/null). But wanted to check - is there a more appropriate entity
within Debian that should be generating such a key?

[1] https://salsa.debian.org/qemu-team/edk2/blob/debian/debian/PkKek-1.README

Reply to:

debian-efi@lists.debian.org
dann frazier (on-list)
dann frazier (off-list)

Prev by Date: Bug#912414: Workaround failed
Previous by thread: Bug#912414: Workaround failed
Index(es):
- Date
- Thread