Bug#820129: This is not a bug, but a feature

[Linn Crosetto]

On Thu, Dec 08, 2016 at 04:44:18PM +0100, Andreas Heinlein wrote:
> I do not think this should be done, it would make it difficult if not
> impossible to boot custom kernels. For your own use, you could always
> build your own signed kernel and add the signing key to the UEFI
> firmware, or turn off SecureBoot altogether.
> However, for authors of Debian-based live systems like I am
> (www.discreete-linux.org), we need a way that will boot the live system
> on as many computers and platforms as possible without user interaction,
> including those users which regulary use only windows, and including
> platforms like Intel-based Tablets/Detachables which often do not allow
> to turn off Secureboot. Our live system requires a special kernel to
> work, it cannot work with any generic kernel/initrd signed by Debian.
> 
> UEFI/SecureBoot specs do not require to keep the chain of signatures
> through to the kernel/initrd, it is optional. There should at least be a
> choice by providing two packages, one which allows booting unsigned
> kernels and one which doesn't. Or we can find a way for projects to get
> their kernels and/or own grub signed by Debian.

Without verifying the kernel, the additional security features in the kernel
become largely useless and we lose much of the value that a root of trust
can provide. Note that this patch only affects systems with UEFI Secure Boot
enabled.

To allow boot without user interaction on a system with Secure Boot enabled,
you could build shim with your key and get it signed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20170131/5164edbf/attachment.sig>