On Wed, 2018-05-16 at 10:05 +0200, Philipp Hahn wrote: > Moin, > > Am 15.05.2018 um 11:41 schrieb Steve McIntyre: > > On Tue, May 15, 2018 at 04:16:22AM +0100, Colin Watson wrote: > > > On Tue, May 15, 2018 at 11:46:00AM +0900, Hideki Yamane wrote: > > > > On Tue, 15 May 2018 03:32:26 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > > > > > > > The second point (have DAK accept ...) is part of step 7, yes. It > > > > > > > seems to have been implemented now. > > > > > > > > > > > > Then, remaining blocker is only template for GRUB2? > > > > > > > > > > For testing purposes, I think so. I don't know whether GRUB implements > > > > > the policy we want at the moment. > > @benh: you meat to *only* boot signed stuff and not fall back to > disabling SB before booting an unsigned kernel? > That should be addressed by > <https://salsa.debian.org/pmhahn/grub/commit/fe06193ff5a36ee6aa6a6cab12f4651b6290d91b> I think that's what we agreed, yes. [...] > I haven't yet found time to setup an UEFI-SB test environment to check > that everything works. [...] It's fairly easy to do with OVMF; this blog entry summarises the process: https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else.
Attachment:
signature.asc
Description: This is a digitally signed message part