Re: UEFI Secure Boot sprint report
Tollef Fog Heen writes ("UEFI Secure Boot sprint report"):
> In the end, we decided to have a signing service which will construct
> a source package based on a "template" package and a list of files to
> sign and upload this to be processed by the normal buildd and dak
> processes. The signing service will also have an audit log which makes
> it public what was signed and when.
Thanks for the update.
> Once this was agreed and various corner cases ironed out, we started
> implementing the signing service, and the necessary changes in the
> Linux kernel package, dak, fwupdate, shim and grub. The source for the
> signing service can be found at
> https://salsa.debian.org/ftp-team/code-signing.
One small point: Do you think tht the source for the signing service
is part of the source for the signed output ? If so it probably needs
to be in the Debian archive, not just on salsa. Sorry if this is
inconvenient.
> By the end of the sprint, we were able to:
> - generate a signing template for Linux kernel modules
> - generate a signing template for shim
> - generate a signing template for fwupdate
> - have DAK detect such signing template packages automatically and
> generate a request for signing
> - run the code of the signing box by hand to generate the source code
> packages containing the generated signatures
Thanks for your work.
Regards,
Ian.
Reply to: