Web lists-archives.com

Re: Q: secure boot




On Tue, 2018-11-06 at 09:14 +0800, Paul Wise wrote:
> AFAICT the Debian Secure Boot packages are not designed for the
> scenario where only Debian keys or per-user keys are trusted by the
> firmware, if they were then shim-signed would be named
> shim-signed-microsoft and there would be a shim-signed-debian package
> too.

This was discussed: you can attach multiple signatures to a UEFI binary
such as shim, so all this would need is to add an additional signature.
Maybe also a legacy version with only the MS signature in case some
implementations don't like multiple signatures (it was added in a later
UEFI version as far as I understand).

> In addition, the revocation situation is just ridiculous. There is no
> way to revoke known-insecure (but still validly signed) software from
> every vendor that supports secure boot.

I agree.  You can probably always get something with a valid signature
and a code execution bug running...

Ansgar