Re: How to revoke Debian kernels for secure boot

[Dimitri John Ledkov <dimitri.ledkov@canonical.com>]

At the moment the best options are:

- rotate online signing key

- build new shim with old signing key in vendorx (revoked ESL)

- build new kernels with old signing key built-in revoked keyring

This is to ensure that old shim & old kernel can boot or kexec new kernels.

To ensure new shim cannot boot old kernels.

To ensure that new kernels cannot kexec old kernels.

This is revocation strategy used by Canonical Kernel Team for Ubuntu Kernels.

There is no sbat for kernels yet (and/or nobody has yet started to use sbat for kernels).

On Wed, 13 Dec 2023, 22:04 Bastian Blank, <waldi@debian.org> wrote:

Hi

I don't think we currently have a documented way to revoke old kernels
for secure boot.  Are there known plans by other distributions?  Or
should we just force the inclusion of SBAT and use it as intended?

Regards,
Bastian

--
... The prejudices people feel about each other disappear when they get
to know each other.
                -- Kirk, "Elaan of Troyius", stardate 4372.5