On Mon, Jan 09, 2012 at 04:29:12PM +0000, Tanguy Ortolo wrote: > Wookey, 2012-01-09 15:04+0100: > > I assume evyone here is aware of mjg's useful posts about the issue of > > key-management in UEFI secure boot? > > > > We need to do one of: > > > > * get our bootloaders signed by something like the 'linuxfoundation key' > > if such a thing gets widely installed, > > * explain to users how to get the 'debian key' installed > > * explain to users how to turn off secure boot. > > * Get manufacturers to put the Debian key in machines for sale (or > > just make them with Debian(or a deriviative) pre-installed. > > Just as a reminder, we must be aware that GRUB images are generated > locally on each host. Thus every user would have to have the secret key > to sign their boot loader image.
Hmm, I might misunderstand this, but wouldn't just the grub binary need to be signed? And this binary then would parse the grub.cfg file and allow various kernels to boot. regards, iustin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120109185753.ga4...@teal.hq.k1024.org
