On Thu, Dec 08, 2016 at 04:44:18PM +0100, Andreas Heinlein wrote: > I do not think this should be done, it would make it difficult if not > impossible to boot custom kernels. For your own use, you could always > build your own signed kernel and add the signing key to the UEFI > firmware, or turn off SecureBoot altogether. > However, for authors of Debian-based live systems like I am > (www.discreete-linux.org), we need a way that will boot the live system > on as many computers and platforms as possible without user interaction, > including those users which regulary use only windows, and including > platforms like Intel-based Tablets/Detachables which often do not allow > to turn off Secureboot. Our live system requires a special kernel to > work, it cannot work with any generic kernel/initrd signed by Debian. > > UEFI/SecureBoot specs do not require to keep the chain of signatures > through to the kernel/initrd, it is optional. There should at least be a > choice by providing two packages, one which allows booting unsigned > kernels and one which doesn't. Or we can find a way for projects to get > their kernels and/or own grub signed by Debian.
Without verifying the kernel, the additional security features in the kernel become largely useless and we lose much of the value that a root of trust can provide. Note that this patch only affects systems with UEFI Secure Boot enabled. To allow boot without user interaction on a system with Secure Boot enabled, you could build shim with your key and get it signed.
signature.asc
Description: Digital signature
