Plan of action for Secure Boot support
Florian Weimer
fw at deneb.enyo.de
Sun May 25 10:35:47 UTC 2014
* Colin Watson:
> On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote:
>> Furthermore, we need to store the keys for all EV certificates (both
>> the certificate used for submission, and the certificate embedded in
>> the shim) in devices that meet at least FIPS 140 Level 2. Such
>> devices that are affordable, support secure, remote operation, and are
>> compatible with free software environments are difficult to find.
>> (But perhaps we can find a DD who agrees to keep the keys in his or
>> her home and manually signs our kernels, using Windows if necessary.)
>
> We (Canonical) have been trying to get this requirement made a bit more
> sane; we keep our SB root certificate split up among a number of
> shareholders using gfshare, which we believe should be functionally
> adequate for this. Steve Langasek may know where this sits.
Have you had any success in this endeavor?
More information about the Pkg-grub-devel
mailing list