On Sat, 2022-04-23 at 18:21 +0100, Steve McIntyre wrote: > If you don't like the fact that Microsoft's keys are involved, > it's possible on a lot of machines to enrol your own keys
On machines where this isn't possible in the UEFI firmware interface, IIRC shim-signed is designed to allow you to enrol your own keys; you should be able to boot Debian's MS-signed shim-signed once, enrol your own keys and then switch to your own shim-signed. If UEFI bugs prevent loading your own shim-signed, then Debian's MS-signed shim-signed will still let you replace the Debian-signed GRUB, Linux etc images. IIRC this was done so that the distro docs can ignore the UEFI firmware user interface for enrolling keys, which is different for every UEFI vendor, while the shim interface for this is the same everywhere. Of course, there may be UEFI bugs that break some of this, and on ARM the MS requirement to allow enrolling keys was initially not present, not sure if they re-added it for recent ARM based Windows laptops. > and remove Microsoft's entirely. ISTR that I read that even if you can do this on your particular UEFI firmware, in practice this often *isn't* possible because parts of the pre-installed firmware for some devices (option ROMs?) are MS-signed. > we could even offer our own different shim-signed package to match. Renaming shim-signed to shim-signed-microsoft and adding a new package shim-signed-debian sounds like a good idea to me. > If we had a large enough number of users wanting a different root of trust I've seen a few people over the years wanting this, most want their own root of trust rather a Debian root of trust though. There probably aren't enough people to justify the extra effort, but it would make Debian useful in a few more use-cases. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
