Plan of action for Secure Boot support

[Ben Hutchings]

On Thu, 2014-08-14 at 23:38 +0200, Cyril Brulebois wrote:
[...]
> > 1. Colin Watson will prepare dak changes to support upload and
> > subsequent signing of EFI executables.  (This is an embedded, not
> > detached, signature.)
> > 
> > 2. Steve Langasek will prepare and upload a package of the 'shim' EFI
> > boot loader.  This will embed our own set of public keys
> > (corresponding to those used by dak) and can load any other EFI
> > executable signed by one of them.  Later, there will be a shim-signed
> > package containing the same executable with a Microsoft signature.
> > (This costs money and takes several days, but shim should require only
> > very infrequent changes.)
> > 
> > 3. Colin Watson will update the GRUB package to build a to-be-signed
> > monolithic EFI executable separate from the package.  Then he will add
> > a grub-signed package that includes the Debian-signed executable from
> > the archive.  This executable would be suitable for use on both
> > removable media and the installed system.
> > 
> > 4. The kernel team may also need to upload kernel images for signing
> > and add linux-image-signed packages with the Debian-signed kernel
> > images.  This is because some quirks in the kernel should be run
> > before calling ExitBootServices().
> 
> could you please tell us whether anything changed during the past year?
> Is there any chance we could think of having SB in jessie, or should we
> consider it an unreasonable goal for this release and concentrate on
> other things?

So far as I know, no progress has been made on the above steps or any
alternate approach.

Ben.

-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20140819/ddb24266/attachment.sig>