On Tue, 2016-04-05 at 02:08 +0200, Christian Seiler wrote: > Package: src:tiny-initramfs > Version: 0.1-2 > Severity: normal > > (Filing this as maintainer of tiny-initramfs after seeing the the > other bugs related to secure boot filed on debian-devel.) > > As well as the other initramfs implementations in Debian (dracut, > #820041 and initramfs-tools, #820037), tiny-initramfs should also > support detached signatures for the kernel modules to support secure > boot. Since it doesn't use kmod to load modules but the syscall > directly, support for appending the signatures needs to be added to > tiny-initramfs - in addition to the code required in the Debian > packaging that generates the initramfs and copies the modules there. > > I plan to work on this once I've familiarized myself with how the > signature stuff works.
The signing process appends a signature and some metadata to the end of the module. I've implemented detached module signatures in such a way that you can simply concatenate module and signature file, and you might as well do that at initramfs build time. > @Ben: I'll leave it up to you if you want to block #820036 with this > bug, as tiny-initramfs is a very niche thing with low popcon. It wouldn't be a blocker for announcing 'Debian now supports Secure Boot' but it seems reasonable to add it to that tracking bug. Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot
signature.asc
Description: This is a digitally signed message part
