Re: Plan of action for Secure Boot support

To: debian-project@lists.debian.org
Cc: pkg-grub-devel@lists.alioth.debian.org, debian-kernel@lists.debian.org, vorlon@debian.org
Subject: Re: Plan of action for Secure Boot support
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 25 May 2014 12:35:47 +0200
Message-id: <87siny87ss.fsf@mid.deneb.enyo.de>
In-reply-to: <20140108111130.GA20011@riva.ucam.org> (Colin Watson's message of "Wed, 8 Jan 2014 11:11:30 +0000")
References: <1376427261.11676.35.camel@deadeye.wl.decadent.org.uk> <1386596706.12186.52.camel@deadeye.wl.decadent.org.uk> <878uurexq8.fsf@mid.deneb.enyo.de> <20140108111130.GA20011@riva.ucam.org>

* Colin Watson:

> On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote:
>> Furthermore, we need to store the keys for all EV certificates (both
>> the certificate used for submission, and the certificate embedded in
>> the shim) in devices that meet at least FIPS 140 Level 2.  Such
>> devices that are affordable, support secure, remote operation, and are
>> compatible with free software environments are difficult to find.
>> (But perhaps we can find a DD who agrees to keep the keys in his or
>> her home and manually signs our kernels, using Windows if necessary.)
>
> We (Canonical) have been trying to get this requirement made a bit more
> sane; we keep our SB root certificate split up among a number of
> shareholders using gfshare, which we believe should be functionally
> adequate for this.  Steve Langasek may know where this sits.

Have you had any success in this endeavor?

Reply to:

Prev by Date: Re: Maximum term for tech ctte members
Next by Date: Re: Maximum term for tech ctte members
Previous by thread: Re: Maximum term for tech ctte members
Next by thread: Re: Prospective Trusted Organizations - FFIS
Index(es):
- Date
- Thread