Re: How to revoke Debian kernels for secure boot
Hey all,
On Wed, Dec 13, 2023 at 10:18:40PM +0000, Dimitri John Ledkov wrote:
>At the moment the best options are:
>
>- rotate online signing key
>- build new shim with old signing key in vendorx (revoked ESL)
>- build new kernels with old signing key built-in revoked keyring
>
>This is to ensure that old shim & old kernel can boot or kexec new kernels.
>To ensure new shim cannot boot old kernels.
>To ensure that new kernels cannot kexec old kernels.
Yes, this is roughly what I was thinking too. Thanks for explaining it
well here. Something else we should *also* be doing is starting public
documentation on what changes we've made to signing over time,
tracking keys, revocations etc. so that:
* users have a chance to understand what's changed and why
* (being honest!) *developers* have a record so we can remember too
I'm not sure the wiki is the best place for this, but I'm also not
sure this should live on the main www.d.o either. Suggestions?
>This is revocation strategy used by Canonical Kernel Team for Ubuntu Kernels.
ACK, makes sense.
>There is no sbat for kernels yet (and/or nobody has yet started to use sbat for
>kernels).
It's a difficult thing to do, especially in light of significant
pushback from upstream developers.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"I can't ever sleep on planes ... call it irrational if you like, but I'm
afraid I'll miss my stop" -- Vivek Das Mohapatra
Reply to: