On Thu, Dec 14, 2023 at 09:31:11PM +0100, Bastian Blank wrote:
> On Thu, Dec 14, 2023 at 03:09:51PM +, Steve McIntyre wrote:
> > It's a difficult thing to do, especially in light of significant
> > pushback from upstream developers.
Okay, I finally managed to read most of that thread. And it
On Thu, Dec 14, 2023 at 03:09:51PM +, Steve McIntyre wrote:
> On Wed, Dec 13, 2023 at 10:18:40PM +, Dimitri John Ledkov wrote:
> >There is no sbat for kernels yet (and/or nobody has yet started to use sbat
> >for
> >kernels).
> It's a difficult thing to do, especially in light of
Hey all,
On Wed, Dec 13, 2023 at 10:18:40PM +, Dimitri John Ledkov wrote:
>At the moment the best options are:
>
>- rotate online signing key
>- build new shim with old signing key in vendorx (revoked ESL)
>- build new kernels with old signing key built-in revoked keyring
>
>This is to ensure
On Wed, Dec 13, 2023 at 10:18:40PM +, Dimitri John Ledkov wrote:
> At the moment the best options are:
>
> - rotate online signing key
> - build new shim with old signing key in vendorx (revoked ESL)
> - build new kernels with old signing key built-in revoked keyring
>
> This is to ensure
At the moment the best options are:
- rotate online signing key
- build new shim with old signing key in vendorx (revoked ESL)
- build new kernels with old signing key built-in revoked keyring
This is to ensure that old shim & old kernel can boot or kexec new kernels.
To ensure new shim cannot
Hi
I don't think we currently have a documented way to revoke old kernels
for secure boot. Are there known plans by other distributions? Or
should we just force the inclusion of SBAT and use it as intended?
Regards,
Bastian
--
... The prejudices people feel about each other disappear when
6 matches
Mail list logo
