[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Secure Boot sprint report

Tollef Fog Heen writes ("UEFI Secure Boot sprint report"):
> In the end, we decided to have a signing service which will construct
> a source package based on a "template" package and a list of files to
> sign and upload this to be processed by the normal buildd and dak
> processes. The signing service will also have an audit log which makes
> it public what was signed and when.

Thanks for the update.

> Once this was agreed and various corner cases ironed out, we started
> implementing the signing service, and the necessary changes in the
> Linux kernel package, dak, fwupdate, shim and grub. The source for the
> signing service can be found at
> https://salsa.debian.org/ftp-team/code-signing.

One small point: Do you think tht the source for the signing service
is part of the source for the signed output ?  If so it probably needs
to be in the Debian archive, not just on salsa.  Sorry if this is

> By the end of the sprint, we were able to:
> - generate a signing template for Linux kernel modules
> - generate a signing template for shim
> - generate a signing template for fwupdate
> - have DAK detect such signing template packages automatically and
>   generate a request for signing
> - run the code of the signing box by hand to generate the source code
>   packages containing the generated signatures

Thanks for your work.


Reply to: