Secure boot signing infrastructure - feedback request
Helen Koike
helen.koike at collabora.com
Mon Oct 9 00:53:38 UTC 2017
+
On 2017-10-05 02:57 PM, Helen Koike wrote:
> Hello all,
>
> As you probably already know, Debian doesn't support the Secure Boot
> chain yet.
> To support it we need to sign Grub and the Kernel with our key, so we
> are discussing the best infrastructure for this workflow.
>
> The first approach we had was to add a by-hand script in Dak as
> described here
> https://wiki.debian.org/SecureBoot#First_option:_by-hand_script_in_dak
> But this option wasn't well received by the ftpteam
>
> The second approach we have is to add some debhelper scripts (e.g
> dh_sign...) that will access a signing service which will sign the
> binaries with Debian's key. We would use the dh_sign... helpers when
> making an extra binary package. buildd would then publish the -signed
> version of the package in the archives.
> Please see a more detailed explanation here
> https://wiki.debian.org/SecureBoot#Second_option:_use_buildd_.2B-_debhelper_instead_of_dak
> A current known issue with this approach is the NEW queue: it requires
> the maintainer to also upload binaries for an architecture on first
> upload, and these binaries are not rebuilt by the buildd ( see
> https://wiki.debian.org/SecureBoot#Issues ).
>
> I would like to know everyone's opinions about these approaches, if you
> agree to go forward with the second approach described above and how do
> we solve the NEW queue policy issue.
>
> Thanks
> Helen Koike
>
> _______________________________________________
> Pkg-grub-devel mailing list
> Pkg-grub-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grub-devel
>
More information about the Pkg-grub-devel
mailing list