Perhaps we should find time to hack at DebConf
-T
On Tue, Aug 19, 2014 at 5:16 PM, Steve McIntyre wrote:
> On Tue, Aug 19, 2014 at 01:38:44PM -0700, Ben Hutchings wrote:
>>
>>So far as I know, no progress has been made on the above steps or any
>>alternate approach.
>
> Ditto, I've not seen (or
On Tue, Aug 19, 2014 at 01:38:44PM -0700, Ben Hutchings wrote:
>
>So far as I know, no progress has been made on the above steps or any
>alternate approach.
Ditto, I've not seen (or done) anything about this.
--
Steve McIntyre, Cambridge, UK.st...@einval.com
Mat
On Thu, 2014-08-14 at 23:38 +0200, Cyril Brulebois wrote:
[...]
> > 1. Colin Watson will prepare dak changes to support upload and
> > subsequent signing of EFI executables. (This is an embedded, not
> > detached, signature.)
> >
> > 2. Steve Langasek will prepare and upload a package of the 'shi
Hi Ben,
Ben Hutchings (2013-08-13):
> Colin Watson and Stefano Rivera talked about how Ubuntu had implemented
> Secure Boot and what they believed were the requirements.
>
> Apparently, the Secure Boot spec requires each stage of the boot code
> to validate signatures only until ExitBootServices
* Colin Watson:
> On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote:
>> Furthermore, we need to store the keys for all EV certificates (both
>> the certificate used for submission, and the certificate embedded in
>> the shim) in devices that meet at least FIPS 140 Level 2. Such
>> de
* Ben Hutchings:
>> The Terms & Conditions of existing EV code-signing CAs do not permit a
>> code-signing end-entity certificate to be used for signing another
>> certificate, so we'd directly have to embed the end-entity certificate
>> used to sign GRUB and the kernel into the shim—or we'd have
On Wed, 2014-01-08 at 08:31 +0100, Florian Weimer wrote:
> * Ben Hutchings:
>
> > However, there is now a blog post from Microsoft that supports what
> > Matthew Garrett has been saying for a while - they may revoke the
> > signature on a boot loader if signature verification is not extended to
>
On Wed, Jan 08, 2014 at 08:31:11AM +0100, Florian Weimer wrote:
> Furthermore, we need to store the keys for all EV certificates (both
> the certificate used for submission, and the certificate embedded in
> the shim) in devices that meet at least FIPS 140 Level 2. Such
> devices that are affordab
* Ben Hutchings:
> However, there is now a blog post from Microsoft that supports what
> Matthew Garrett has been saying for a while - they may revoke the
> signature on a boot loader if signature verification is not extended to
> the kernel, including any mechanism to chain-load another kernel:
>
On Tue, 2013-08-13 at 22:54 +0200, Ben Hutchings wrote:
[...]
> Apparently, the Secure Boot spec requires each stage of the boot code to
> validate signatures only until ExitBootServices() is called. (At this
> point the firmware makes some parts of its non-volatile configuration
> inaccessible.)
On Wed, Aug 14, 2013 at 12:30:55AM +0200, Ben Hutchings wrote:
> Editing of binary packages is icky, so that's not part of the plan.
> Instead, after dak signs an executable, the package maintainer downloads
> and copies those into a separate 'source' package, which has a trivial
> debian/rules. (
On Tue, 2013-08-13 at 23:38 +0200, Cyril Brulebois wrote:
[...]
> > 4. The kernel team may also need to upload kernel images for signing and
> > add linux-image-signed packages with the Debian-signed kernel images.
> > This is because some quirks in the kernel should be run before calling
> > Exit
Cyril Brulebois wrote:
> (Sorry, I'm new to all this) do you mean (1) the regular linux image
> packages are getting a signature added, and we're using those like we do
> today, or (2) that we'll have additional linux image packages with the
> signatures to be used instead of the usual linux image
Hi,
many thanks for the summary.
Ben Hutchings (2013-08-13):
> Colin Watson and Stefano Rivera talked about how Ubuntu had implemented
> Secure Boot and what they believed were the requirements.
>
> Apparently, the Secure Boot spec requires each stage of the boot code to
> validate signatures o
On Tue, 2013-08-13 at 22:54 +0200, Ben Hutchings wrote:
> Colin Watson and Stefano Rivera talked about how Ubuntu had implemented
> Secure Boot and what they believed were the requirements.
[...]
Sorry, I'm having name confusion here. Who do I really mean?
Ben.
--
Ben Hutchings
Experience is w
Colin Watson and Stefano Rivera talked about how Ubuntu had implemented
Secure Boot and what they believed were the requirements.
Apparently, the Secure Boot spec requires each stage of the boot code to
validate signatures only until ExitBootServices() is called. (At this
point the firmware makes
16 matches
Mail list logo
