On Wed, Dec 13, 2023 at 10:18:40PM +0000, Dimitri John Ledkov wrote: > At the moment the best options are: > > - rotate online signing key > - build new shim with old signing key in vendorx (revoked ESL) > - build new kernels with old signing key built-in revoked keyring > > This is to ensure that old shim & old kernel can boot or kexec new kernels. > To ensure new shim cannot boot old kernels. > To ensure that new kernels cannot kexec old kernels. > > This is revocation strategy used by Canonical Kernel Team for Ubuntu > Kernels. > > There is no sbat for kernels yet (and/or nobody has yet started to use sbat > for kernels).
Reading this summary also made me realize that if we do SBAT for kernels and want to rely it, we also need to make kernels *check* SBAT so that it is respected at kexec. This can be done two ways: - You do an SBAT self-check at startup to see if you are revoked yourself, which is what shim does - You check the SBAT of the kernel you are about to kexec I'd generally prefer the self-check I think because that also applies if you boot kernels via UEFI directly or something. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
