Secure boot signing infrastructure - feedback request

Helen Koike helen.koike at collabora.com
Thu Oct 5 17:57:43 UTC 2017


Hello all,

As you probably already know, Debian doesn't support the Secure Boot
chain yet.
To support it we need to sign Grub and the Kernel with our key, so we
are discussing the best infrastructure for this workflow.

The first approach we had was to add a by-hand script in Dak as
described here
https://wiki.debian.org/SecureBoot#First_option:_by-hand_script_in_dak
But this option wasn't well received by the ftpteam

The second approach we have is to add some debhelper scripts (e.g
dh_sign...) that will access a signing service which will sign the
binaries with Debian's key.  We would use the dh_sign... helpers when
making an extra binary package. buildd would then publish the -signed
version of the package in the archives.
Please see a more detailed explanation here
https://wiki.debian.org/SecureBoot#Second_option:_use_buildd_.2B-_debhelper_instead_of_dak
A current known issue with this approach is the NEW queue: it requires
the maintainer to also upload binaries for an architecture on first
upload, and these binaries are not rebuilt by the buildd ( see
https://wiki.debian.org/SecureBoot#Issues ).

I would like to know everyone's opinions about these approaches, if you
agree to go forward with the second approach described above and how do
we solve the NEW queue policy issue.

Thanks
Helen Koike



More information about the Pkg-grub-devel mailing list