On Fri, May 10, 2024 at 04:29:00PM +0200, Ansgar 🙀 wrote: >Hi, > >On Fri, 2024-05-10 at 15:20 +0100, Luca Boccassi wrote: >> On Thu, 04 Apr 2024 20:41:59 +0100 Luca Boccassi <bl...@debian.org> >> > On IRC Steve mentioned that he's ok with proceeding with this. >> > jcristau from DSA said that it's the FTP team that should confirm the >> > request >> > for the new intermediate signer cert for systemd-boot to DSA. >> > >> > FTP team, are you ok with proceeding with this? If so, would it be >> > possible to have an ACK, please? Is there any more information required >> > beforehand? > >As long as the security boot people are fine with this, I think this >should be fine. (And AFAIU this seems to be the case.)
Yes, I'm happy for us to add this. Please go ahead. >Maybe we should use a non-trusted cert for the initial setup and only >switch to a proper cert once everything is confirmed to be working as >expected? Hmmm, maybe? Luca? Also, while I'm thinking about things... We should probably also move to a new kernel signing cert for unstable/testing now that we've moved to build-time ephemeral keys for the modules. At some point in the future that will let us DBX-block the old kernel signing certificate(s) in a new shim build. Bastian: I'm assuming the ephemeral change is only a thing in testing/unstable? Can we (easily) use a different signer for different releases of the kernel here? In fact, if we're going to generate new keys and certs for the intermediate signers, it might be worth refreshing them all anyway maybe? -- Steve McIntyre, Cambridge, UK. st...@einval.com "Every time you use Tcl, God kills a kitten." -- Malcolm Ray
