Plan of action for Secure Boot support

Florian Weimer fw at deneb.enyo.de
Sun May 25 10:35:47 UTC 2014


* Colin Watson:

> On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote:
>> Furthermore, we need to store the keys for all EV certificates (both
>> the certificate used for submission, and the certificate embedded in
>> the shim) in devices that meet at least FIPS 140 Level 2.  Such
>> devices that are affordable, support secure, remote operation, and are
>> compatible with free software environments are difficult to find.
>> (But perhaps we can find a DD who agrees to keep the keys in his or
>> her home and manually signs our kernels, using Windows if necessary.)
>
> We (Canonical) have been trying to get this requirement made a bit more
> sane; we keep our SB root certificate split up among a number of
> shareholders using gfshare, which we believe should be functionally
> adequate for this.  Steve Langasek may know where this sits.

Have you had any success in this endeavor?



More information about the Pkg-grub-devel mailing list