FS#67613 - [efitools] Include LockDown.efi private keys or exclude LockDown.efi from installed tools
Attached to Project:
Arch Linux
Opened by Daan De Meyer (DaanDeMeyer) - Sunday, 16 August 2020, 22:33 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:24 GMT
Opened by Daan De Meyer (DaanDeMeyer) - Sunday, 16 August 2020, 22:33 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:24 GMT
|
Details
Description:
If I understand correctly, LockDown.efi embeds a set of keys that it will install into the UEFI firmware upon execution in the uefi shell. Doesn't that mean that just including the LockDown.efi binary in the package without providing the generated secure boot signing keys as well is not very useful as no one will be able to sign images that will be accepted by the installed keys? Ideally the signing keys corresponding to the LockDown.efi binary would be provided by this package as well which allows for quickly testing secure boot in qemu without having to build a custom LockDown.efi from source. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:24 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/efitools/issues/1
Saturday, 25 November 2023, 20:24 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/efitools/issues/1
Upstream does not provide valid secure boot keys anymore (to my knowledge).
Additionally, Arch Linux as a distribution does not (yet) have a distribution key for these purposes (see https://bugs.archlinux.org/task/53864).
I am unsure how to proceed here, as efitools in its current form has become slightly useless.
FYI: The package would become unreproducible if the certs were added, as they are generated during build.