UEFI Secure Boot sprint report

Ben Hutchings ben at decadent.org.uk
Thu May 17 00:22:23 BST 2018


On Wed, 2018-05-16 at 10:05 +0200, Philipp Hahn wrote:
> Moin,
> 
> Am 15.05.2018 um 11:41 schrieb Steve McIntyre:
> > On Tue, May 15, 2018 at 04:16:22AM +0100, Colin Watson wrote:
> > > On Tue, May 15, 2018 at 11:46:00AM +0900, Hideki Yamane wrote:
> > > > On Tue, 15 May 2018 03:32:26 +0100 Ben Hutchings <ben at decadent.org.uk> wrote:
> > > > > > > The second point (have DAK accept ...) is part of step 7, yes.  It
> > > > > > > seems to have been implemented now.
> > > > > > 
> > > > > >  Then, remaining blocker is only template for GRUB2?
> > > > > 
> > > > > For testing purposes, I think so.  I don't know whether GRUB implements
> > > > > the policy we want at the moment.
> 
> @benh: you meat to *only* boot signed stuff and not fall back to
> disabling SB before booting an unsigned kernel?
> That should be addressed by
> <https://salsa.debian.org/pmhahn/grub/commit/fe06193ff5a36ee6aa6a6cab12f4651b6290d91b>

I think that's what we agreed, yes.

[...]
> I haven't yet found time to setup an UEFI-SB test environment to check
> that everything works.
[...]

It's fairly easy to do with OVMF; this blog entry summarises the
process:
https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html

Ben.

-- 
Ben Hutchings
Teamwork is essential - it allows you to blame someone else.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20180517/f2142a20/attachment.sig>


More information about the Pkg-grub-devel mailing list