[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Plan of action for Secure Boot support

On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote:
> Furthermore, we need to store the keys for all EV certificates (both
> the certificate used for submission, and the certificate embedded in
> the shim) in devices that meet at least FIPS 140 Level 2.  Such
> devices that are affordable, support secure, remote operation, and are
> compatible with free software environments are difficult to find.
> (But perhaps we can find a DD who agrees to keep the keys in his or
> her home and manually signs our kernels, using Windows if necessary.)

We (Canonical) have been trying to get this requirement made a bit more
sane; we keep our SB root certificate split up among a number of
shareholders using gfshare, which we believe should be functionally
adequate for this.  Steve Langasek may know where this sits.

> I wonder why Microsoft no longer wants to sign GPLv3 code (such as
> GRUB 2).  It could be due to plans to make Secure Boot mandatory
> eventually.  Right now, it is possible to comply with the GPLv3
> license requirements because users can switch off Secure Boot, either
> at the BIOS level or through the MokManager loophole.  This does not
> affect us because we rarely ship hardware with Debian pre-installed,
> and if we do, we can make use of the general GPLv3 opt-out clause.
> But it would affect some of our users.

Not that I'm very impressed with Microsoft's reasoning here, but in
practice we wouldn't want to get GRUB signed by Microsoft anyway; their
signing process is far too cumbersome for anything but a loader that we
try not to change very often.  Their guidelines permit chaining to GPLv3
code via shim, so this part of it should not be a problem.

Colin Watson                                       [cjwatson@debian.org]

Reply to: