[arch-dev-public] Arch Linux Secure Boot support, get it done ; )

David Runge dave at sleepmap.de
Wed Feb 2 12:35:10 UTC 2022


On 2022-02-02 12:40:56 (+0100), Morten Linderud via arch-dev-public wrote:
> # Signed SHIM
> 
> First of we need to have a signing solution for this. My idea has been to
> piggy-back on the existing work on the signing-enclave. However it's current
> focus is GnuPG and I need something which can support x509 certificates and
> preferably PKCS11 for hardware tokens.
> 
> I think having a separate POC for this and later folding it into the
> signing-enclave is a good options as well.
> 
> Once we have a key we can embed into the shim, we can build a shim package and
> submit it for review to Microsoft.
> 
> https://github.com/rhboot/shim-review
> 
> Once this is signed and approved by Microsoft we can provide our own
> "shim-signed" package.

As a short addition: This topic is (also) tracked in the context of
archiso (with more links to previous mailing list and issue tracker
discussions): https://gitlab.archlinux.org/archlinux/archiso/-/issues/69

I think it would be good to track this effort in an overarching meta
repo using an epic though, so that we can more easily identify the
blockers and or follow-up tickets towards e.g. packaging,
infrastructure, archiso, etc.
(this would be beneficial for a bunch of our "larger topics")

FWIW: The shim package is already available in [community] (it's
unsigned of course).

> # RFC
> 
> I think this entire process should be an RFC along with how we want to
> accomplish each step.
> 
> https://gitlab.archlinux.org/archlinux/rfcs/
> 
> My main focus is mostly going to be around the Git package migration but I have
> been tempted writing up a POC when I have a weekend. It would mostly be to make
> an example signing solution and some package examples.

I believe an RFC around this would be great, to outline the various
things that we would need to support to make this happen.

This needs a dedicated set of people working on this and spending the
time to do this right.

I would love to see this happen, but currently do not see myself in any
position to help with it.

Best,
David

-- 
https://sleepmap.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20220202/19c18691/attachment.sig>


More information about the arch-dev-public mailing list