Re: Bug#996202: EFI Secure Boot for systemd-boot

To: debian-admin@lists.debian.org
Cc: ftpmaster@debian.org, debian-efi@lists.debian.org, 996202@bugs.debian.org
Subject: Re: Bug#996202: EFI Secure Boot for systemd-boot
From: Luca Boccassi <bluca@debian.org>
Date: Wed, 22 May 2024 21:44:18 +0100
Message-id: <[🔎] CAMw=ZnTsPRYTSGFGu=+5kf9Jv8hER7qMTN1gBtU8MG-KnwxH1w@mail.gmail.com>
In-reply-to: <[🔎] CAMw=ZnTX8pwPTHT029yzVN+VzdwM_cjx+qYR7sW+bga5ZVchmA@mail.gmail.com>
References: <20211119083300.GA21185@shell.thinkmo.de> <46c8817f5ce260d0c2859da644b8dc90803dca93.camel@debian.org> <20240304232739.GB8119@tack.einval.com> <CAMw=ZnTe6aQ598uC8fXjx7N2Ni+k49TyiGcZQ8o43nVmX0w7CQ@mail.gmail.com> <CAMw=ZnTx_f1ufRy9NaSLkNFOXs3evwjDtTq7qALrLU8Sz4EhQQ@mail.gmail.com> <ea31b8b76b8eaf3963fdef3eb0a7238af201997a.camel@debian.org> <[🔎] 1a4f3544b21b8068e515ada49151da611da64c53.camel@debian.org> <[🔎] 8ef8de7e64fe9310b1a4557a1c2e90d1a541e174.camel@43-1.org> <[🔎] 20240510143601.GH2220856@tack.einval.com> <[🔎] CAMw=ZnR5qT9rZQ7qRYSrCin0bcG2jX0iABgv4syFOnpSoK+sAQ@mail.gmail.com> <[🔎] 20240510144901.GI2220856@tack.einval.com> <[🔎] CAMw=ZnTX8pwPTHT029yzVN+VzdwM_cjx+qYR7sW+bga5ZVchmA@mail.gmail.com>

On Fri, 10 May 2024 at 15:51, Luca Boccassi <bluca@debian.org> wrote:
>
> On Fri, 10 May 2024 at 15:49, Steve McIntyre <steve@einval.com> wrote:
> >
> > On Fri, May 10, 2024 at 03:44:35PM +0100, Luca Boccassi wrote:
> > >On Fri, 10 May 2024 at 15:36, Steve McIntyre <steve@einval.com> wrote:
> > >> On Fri, May 10, 2024 at 04:29:00PM +0200, Ansgar 🙀 wrote:
> > >>
> > >> >Maybe we should use a non-trusted cert for the initial setup and only
> > >> >switch to a proper cert once everything is confirmed to be working as
> > >> >expected?
> > >>
> > >> Hmmm, maybe? Luca?
> > >
> > >What do you mean precisely here? A DSA-managed cert used by FTP to
> > >sign but that doesn't chain to the Debian CA? Or to do something
> > >completely local to the systemd-boot package?
> >
> > Exactly the former - we can use a test key for signing systemd-boot to
> > start with. Once we're happy all round, we can switch to a cert in the
> > chain.
> >
> > >I am fine with any approach that lets us move forward, if that needs
> > >to be some intermediate testing stage that's fine by me.
> >
> > Cool.
>
> Ok, sounds good to me, thanks.
>
> DSA, now that FTP Team has acked with this suggestion to use a test
> cert first, are you happy to proceed or is there anything else you
> need from me? Thanks!

As suggested by DSA, I filed a ticket on RT about this:

https://rt.debian.org/Ticket/Display.html?id=9506

Reply to:

References:
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Luca Boccassi <bluca@debian.org>
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Ansgar 🙀 <ansgar@debian.org>
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Steve McIntyre <steve@einval.com>
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Luca Boccassi <bluca@debian.org>
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Steve McIntyre <steve@einval.com>
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Luca Boccassi <bluca@debian.org>

Prev by Date: Processing of fwupd_1.9.20-1_source.changes
Next by Date: Bug#1071693: sbsign should check certificate's expiration
Previous by thread: Re: Bug#996202: EFI Secure Boot for systemd-boot
Next by thread: Bug#1071215: shim-signed 15.8 still on hold. Inconsistencies with shim-helpers-amd64-signed based on 15.8
Index(es):
- Date
- Thread