Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Debian News] Help test initial support for Secure Boot

The Debian Project News and Announcements curated from official Debian news and rss feeds.

All information here is for reading only, please do not reply to threads in this forum.
Post Reply
Message
Author
Debian News
Forum Account
Forum Account
Posts: 313
Joined: 2023-11-01 21:33
Been thanked: 7 times

[Debian News] Help test initial support for Secure Boot

#1 Post by Debian News »

The Debian Installer team is happy to report that the Buster Alpha 5 release of the installer includes some initial support for UEFI Secure Boot (SB) in Debian's installation media. This support is not yet complete, and we would like to request some help! Please read on for more context and instructions to help us get better coverage and support. On amd64 machines, by default the Debian installer will now boot (and install) a signed version of the shim package as the first stage boot loader. Shim is the core package in a signed Linux boot chain on Intel-compatible PCs. It is responsible for validating signatures on further pieces of the boot process (GRUB and the Linux kernel), allowing for verification of those pieces. Each of those pieces will be signed by a Debian production signing key that is baked into the shim binary itself. However, for safety during the development phase of Debian's SB support, we have only been using a temporary test key to sign our GRUB and Linux packages. If we made a mistake with key management or trust path verification during this development, this would save us from having to revoke the production key. We plan on switching to the production key soon. Due to the use of the test key so far, out of the box Debian will not yet install or run with SB enabled; Shim will not validate signatures with the test key and will stop, reporting the problem. This is correct and useful behaviour! Thus far, Debian users have needed to disable SB before installation to make things work. From now on, with SB still disabled, installation and use should work just the same as previously. Shim simply chain-loads GRUB and continues through the boot chain without checking signatures. It is possible to enrol more keys on a SB system so that shim will recognise and allow other signatures, and this is how we have been able to test the rest of the boot chain. We now invite more users to give us valuable test coverage on a wider variety of hardware by enrolling our Debian test key and running with SB enabled. If you want to help us test our Secure Boot support, please follow the instructions in the Debian wiki and provide feedback. With help from users, we expect to be able to ship fully-working and tested UEFI Secure Boot in an upcoming Debian Installer release and in the main Buster release itself.

Source: https://bits.debian.org/2019/02/testing ... pport.html
Top
Post Reply

Return to “Debian News”