On 6/7/26 11:17 AM, Steve McIntyre wrote:
Package: shim-signed
Version: 1.47+15.8-1
Severity: wishlist
[ Filing this wishlist bug here, even if it's not a direct issue in
shim-signed itself. ]
While fwupd is clearly the right answer for updating CAs and KEKs on
most system, there are cases where it might not work or may not be
*allowed* to work. Imagine a restricted network environment where
servers are not allowed to initiate https connections to arbitrary
websites like LVFS, for example.
It would be useful to package up the already-signed CA and KEK updates
that we know about. We could then use efivar (or similar? maybe part
of fwupd itself?) to install these updates when desired.
We should be wary of doing this *automatically*, as the fwupd authors
already have found some systems which do not work well with these
updates. At the very least, we'd need a quirks list to allow/block the
updates here.
These are just initial thoughts - comments welcome...
I have an idea that would maintain the fwupd checks but allow a true
"offline" update.
fwupd has the concept of allowing both local and network "remotes".
A local remote is a directory that contains either a bunch of CAB files
or metadata and CAB files.
fwupd daemon will scan local remotes at startup and include them in
potential network sources.
That is to say - we can just have a "Debian package" that has all the
CAB files for CA and KEK updates fetched from LVFS. If a user wants to
install these they could just install the Debian package and they'll be
available.
---
Another idea is to mirror these updates on Debian infrastructure that
would already be mirrored. If they were signed by a Debian key though
that would mean another trust authority would need to be registered to
fwupd.
