Plan of action for Secure Boot support
Ben Hutchings
ben at decadent.org.uk
Tue Aug 13 22:30:55 UTC 2013
On Tue, 2013-08-13 at 23:38 +0200, Cyril Brulebois wrote:
[...]
> > 4. The kernel team may also need to upload kernel images for signing and
> > add linux-image-signed packages with the Debian-signed kernel images.
> > This is because some quirks in the kernel should be run before calling
> > ExitBootServices().
>
> (Sorry, I'm new to all this) do you mean (1) the regular linux image
> packages are getting a signature added, and we're using those like we do
> today, or (2) that we'll have additional linux image packages with the
> signatures to be used instead of the usual linux image packages when a
> Secure Boot environment is detected? (or (3) something else…)
[...]
Signing of EFI executables (aside from MS signature on shim) would be
done by dak and would require manual intervention from the FTP team.
Editing of binary packages is icky, so that's not part of the plan.
Instead, after dak signs an executable, the package maintainer downloads
and copies those into a separate 'source' package, which has a trivial
debian/rules. (And of course will generate an appropriate 'Built-Using'
header.)
I suppose GRUB's Linux configuration generator will also need to prefer
a signed vmlinuz (whatever name it gets) to the unsigned version.
Ben.
--
Ben Hutchings
Any smoothly functioning technology is indistinguishable from a rigged demo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20130814/83c33053/attachment.sig>
More information about the Pkg-grub-devel
mailing list