Bug#996202: EFI Secure Boot for systemd-boot
Luca Boccassi
bluca at debian.org
Thu Apr 4 20:41:59 BST 2024
On Fri, 22 Mar 2024 18:13:35 +0000 Luca Boccassi <bluca at debian.org>
wrote:
> On Mon, 4 Mar 2024 at 23:58, Luca Boccassi <bluca at debian.org> wrote:
> >
> > On Mon, 4 Mar 2024 at 23:28, Steve McIntyre <steve at einval.com>
wrote:
> >
> > > Modulo those questions, let's talk infrastructure. Off the top of
my
> > > head, in no particular order...
> > >
> > > * We'll need to create a new intermediate signing cert for
> > > systemd-boot (and another for UKI, I guess). Given recent
> > > discussions about changing the way we build and sign kernels,
we
> > > should also generate a new signer cert for those too. And if
we're
> > > going that far, we may as well generate a complete new set of
2024
> > > certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA
about
> > > doing this piece.
> >
> > That makes sense to me, I guess DSA owns the machinery to do this?
> >
> > > * We'll probably need to add things to the signing setup for
> > > ftp-master. Nothing earth-shattering, just some config to
> > > recognise the new set of packages IIRC. I'm sure Bastian can
> > > manage this. :-)
> > >
> > > * Are people from the team ready to deal with long-term
security
> > > support for the systemd-boot chain?
> >
> > Speaking for myself, yes, I am already part of the team who is
> > responsible for that upstream, and I plan to be very strict about
not
> > carrying downstream patches for the signed components outside of
> > security fixes (and even then, prefer upstream stable point
releases
> > that I am also responsible for anyway).
> >
> > > That's all I can think of for now, but I wouldn't be surprised if
more
> > > comes to mind tomorrow... :-)
> >
> > Thanks for the feedback!
>
> Gentle ping on this - what are the next steps in order to make this
happen?
On IRC Steve mentioned that he's ok with proceeding with this. jcristau
from DSA said that it's the FTP team that should confirm the request
for the new intermediate signer cert for systemd-boot to DSA.
FTP team, are you ok with proceeding with this? If so, would it be
possible to have an ACK, please? Is there any more information required
beforehand?
Thanks!
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240404/4c46ff90/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list