Am 15.05.2018 um 11:41 schrieb Steve McIntyre:
> On Tue, May 15, 2018 at 04:16:22AM +0100, Colin Watson wrote:
>> On Tue, May 15, 2018 at 11:46:00AM +0900, Hideki Yamane wrote:
>>> On Tue, 15 May 2018 03:32:26 +0100 Ben Hutchings <b...@decadent.org.uk>
>>>>>> The second point (have DAK accept ...) is part of step 7, yes. It
>>>>>> seems to have been implemented now.
>>>>> Then, remaining blocker is only template for GRUB2?
>>>> For testing purposes, I think so. I don't know whether GRUB implements
>>>> the policy we want at the moment.
@benh: you meat to *only* boot signed stuff and not fall back to
disabling SB before booting an unsigned kernel?
That should be addressed by
>>> Is there any issue to apply such policy to grub2 package, or just not
>>> discussed yet?
>> Either nobody's tried to discuss it with me yet or I missed the email.
>> Feel free to (preferably in the form of a patch I can review :-) ).
> At / shortly after the sprint, Philipp (in CC) had patches basically
> ready for grub2, but he seems to have gone quiet. <prod>
I was busy working on our release, which took all my time.
And I'm not subscribed to debian-project.
My last work it at <https://salsa.debian.org/pmhahn/grub/tree/signing>.
In the week after the sprint I worked on GRUB2 and got it so far to have
the signed amd64 package - so at the time of writing the sprint report
GRUB2 was already ready.
I haven't yet found time to setup an UEFI-SB test environment to check
that everything works.
I haven't yet tested any other architecture != amd64.
@Colin: Please have a look at said repository above.
What I'm currently unsure about is that amd64 has those ia32 packages as
well - it should work but also untested.
My reading is that those are required for dual booting?