Public bug reported:
The UC20 team is working on integration testing of images with TPM-
backed full-disk encryption, and as part of this, Chris is currently
rebuilding edk2 from source to inject his own signing keys into the
SecureBoot db.
Instead of doing this downstream, it would be better to have the edk2
package provide an additional SecureBoot vars file that is preloaded
with a snakeoil key (i.e., a key whose private part is shipped in the
source - NOT generated at package build-time, but statically shipped -
and which is also shipped in the binary package so that users can make
use of it).
There should be snakeoil keys for both db and KEK at least (and PK if
that's required?).
** Affects: edk2 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
The UC20 team is working on integration testing of images with TPM-
backed full-disk encryption, and as part of this, Chris is currently
rebuilding edk2 from source to inject his own signing keys into the
SecureBoot db.
Instead of doing this downstream, it would be better to have the edk2
package provide an additional SecureBoot vars file that is preloaded
with a snakeoil key (i.e., a key whose private part is shipped in the
source - NOT generated at package build-time, but statically shipped -
and which is also shipped in the binary package so that users can make
use of it).
+
+ There should be snakeoil keys for both db and KEK at least (and PK if
+ that's required?).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1850848
Title:
Please provide a UEFI vars template with snakeoil keys pre-enrolled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1850848/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
