On Tue, Nov 6, 2018 at 6:53 AM Adam Borowski wrote: > Another question: do we want it? It's beneficial only if you can not only > add your own keys but also _remove_ built-in ones, and typical "consumer" > machines don't allow that.
AFAICT the Debian Secure Boot packages are not designed for the scenario where only Debian keys or per-user keys are trusted by the firmware, if they were then shim-signed would be named shim-signed-microsoft and there would be a shim-signed-debian package too. In addition, IIRC in such a scenario you still have to trust keys for the non-CPU firmware (VBIOS?), so you probably won't be able to actually remove any of the built-in keys. In addition, the revocation situation is just ridiculous. There is no way to revoke known-insecure (but still validly signed) software from every vendor that supports secure boot. So, really the only reason to support Secure Boot is to avoid users having to turn Secure Boot off in their BIOS and avoid having to document how to do that on every firmware implementation that is being shipped on new hardware. I think it is definitely worth the effort to do this to avoid turning people away to other distros. -- bye, pabs https://wiki.debian.org/PaulWise
