On 10/26/2016 10:35 PM, Theodore Ts'o wrote:
> In the case of firmware which is flashed into non-volatile memory, I
> would guess that the it probably wouldn't necessarliy use the
> Microsoft signing key at all. (For example, for a long time most
> printers were not bothering to do any digital sig
On Wed, Oct 26, 2016 at 08:42:07AM +0200, Philipp Kern wrote:
> > To the extent that we could easily support this particular use case,
> > it might be a good thing. (I doubt Debian is going to want to get
> > into the business of verifying and then resigning firmware blobs.)
>
> Depends if you ar
On 10/24/2016 06:20 PM, Theodore Ts'o wrote:
> On Tue, Oct 18, 2016 at 07:52:13PM +0800, Paul Wise wrote:
>> It was posted to bug #820036, which is tracking Debian support for
>> secure boot. Peter was advocating quite correctly that as well as
>> having our copy of shim (the first-stage bootloader
On Tue, Oct 18, 2016 at 07:52:13PM +0800, Paul Wise wrote:
>
> It was posted to bug #820036, which is tracking Debian support for
> secure boot. Peter was advocating quite correctly that as well as
> having our copy of shim (the first-stage bootloader on secure boot
> systems) signed by Microsoft,
Tollef Fog Heen writes ("Re: Bug#820036: No bug mentioning a Debian KEK and
booting use it."):
> ]] Ian Jackson
> > this is rather discouraging, at least for those who think this signed
> > image malarkey is useful.
>
> Just so we're not misunderstanding
On Fri, 2016-10-21 at 14:44 +0800, Paul Wise wrote:
> On Fri, Oct 21, 2016 at 2:35 PM, Ian Campbell wrote:
>
> > I think there are also physical arm64 systems using EDK2/Tianocore as
> > their firmware.
>
> Unmodified upstream versions that you can re-flash?
Some of the 96boards.org offerings I
On Fri, Oct 21, 2016 at 2:35 PM, Ian Campbell wrote:
> I think there are also physical arm64 systems using EDK2/Tianocore as
> their firmware.
Unmodified upstream versions that you can re-flash? I got the
impression most UEFI firmware is based on EDK2/Tianocore, even on x86,
but it has proprietar
On Fri, 2016-10-21 at 12:22 +0800, Paul Wise wrote:
> On Fri, Oct 21, 2016 at 4:20 AM, Tollef Fog Heen wrote:
>
> > If there are machines with free firmware that also support secure boot,
> > we can look at this. So far, I don't believe there are any.
>
> Tianocore (edk2 in Debian) supports virt
On Fri, Oct 21, 2016 at 4:20 AM, Tollef Fog Heen wrote:
> If there are machines with free firmware that also support secure boot,
> we can look at this. So far, I don't believe there are any.
Tianocore (edk2 in Debian) supports virtual machines and also any
device that supports coreboot could ch
]] Ian Jackson
> Tollef Fog Heen writes ("Re: Bug#820036: No bug mentioning a Debian KEK and
> booting use it."):
>
> > So far, I don't believe there are any.
>
> this is rather discouraging, at least for those who think this signed
> image
Tollef Fog Heen writes ("Re: Bug#820036: No bug mentioning a Debian KEK and
booting use it."):
] Ian Jackson
> > Ah. Maybe it would be worth doing anyway. There might be machines
> > which work with some kind of libre firmware. But of course actually
> > doing th
]] Ian Jackson
> Ah. Maybe it would be worth doing anyway. There might be machines
> which work with some kind of libre firmware. But of course actually
> doing this depends on someone having the effort.
If there are machines with free firmware that also support secure boot,
we can look at th
Paul Wise writes ("Re: Bug#820036: No bug mentioning a Debian KEK and booting
use it."):
> On Tue, Oct 18, 2016 at 7:36 PM, Ian Jackson wrote:
> > I'm afraid I can't make sense of this. You have posted it to
> > debian-devel, but without any kind of sens
On Tue, Oct 18, 2016 at 7:36 PM, Ian Jackson wrote:
> I'm afraid I can't make sense of this. You have posted it to
> debian-devel, but without any kind of sensible explanation of the
> context.
It was posted to bug #820036, which is tracking Debian support for
secure boot. Peter was advocating q
Peter Dolding writes ("Bug#820036: No bug mentioning a Debian KEK and booting
use it."):
> Yes it one thing to get shim signed by Microsoft. Do remember
> Microsoft is free to push out updates to the The Forbidden Signatures
> Database(dbx).
>
> [etc.]
I'm afr
Yes it one thing to get shim signed by Microsoft. Do remember
Microsoft is free to push out updates to the The Forbidden Signatures
Database(dbx).
Sign a new shim in case of current one being black listed for some
reason could take weeks/months from Microsoft.
The process to replace PK(platform
16 matches
Mail list logo