Secure boot signing infrastructure - feedback request
Ben Hutchings
ben at decadent.org.uk
Wed Nov 22 23:09:15 UTC 2017
On Tue, 2017-10-31 at 15:58 +0000, Steve McIntyre wrote:
[...]
> On Wed, Oct 11, 2017 at 09:48:46PM -0300, Helen Koike wrote:
[...]
> > Is this solution acceptable? If we have an easy way to revoke, then we
> > can easily undo an attacker's work. We can sign everything automatically
> > (if the package is in a whitelist) without the need for the ftp masters
> > to review each upload manually.
>
> Right. Wanting to go the revocation route would depend on the
> development of yet more new software features. But: this is not
> something that any of the other SB-supporting distros seem to be
> caring about so far so I don't think it's something we should have to
> implement as a pre-requisite.
[...]
As I understand it, SUSE has implemented some kind of downgrade
prevention.
Ben.
--
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20171122/e2218140/attachment.sig>
More information about the Pkg-grub-devel
mailing list