Bug#820129: This is not a bug, but a feature

[Andreas Heinlein]

I do not think this should be done, it would make it difficult if not
impossible to boot custom kernels. For your own use, you could always
build your own signed kernel and add the signing key to the UEFI
firmware, or turn off SecureBoot altogether.
However, for authors of Debian-based live systems like I am
(www.discreete-linux.org), we need a way that will boot the live system
on as many computers and platforms as possible without user interaction,
including those users which regulary use only windows, and including
platforms like Intel-based Tablets/Detachables which often do not allow
to turn off Secureboot. Our live system requires a special kernel to
work, it cannot work with any generic kernel/initrd signed by Debian.

UEFI/SecureBoot specs do not require to keep the chain of signatures
through to the kernel/initrd, it is optional. There should at least be a
choice by providing two packages, one which allows booting unsigned
kernels and one which doesn't. Or we can find a way for projects to get
their kernels and/or own grub signed by Debian.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20161208/9e4d8683/attachment.sig>