On Tue, 2018-11-06 at 09:14 +0800, Paul Wise wrote: > AFAICT the Debian Secure Boot packages are not designed for the > scenario where only Debian keys or per-user keys are trusted by the > firmware, if they were then shim-signed would be named > shim-signed-microsoft and there would be a shim-signed-debian package > too.
This was discussed: you can attach multiple signatures to a UEFI binary such as shim, so all this would need is to add an additional signature. Maybe also a legacy version with only the MS signature in case some implementations don't like multiple signatures (it was added in a later UEFI version as far as I understand). > In addition, the revocation situation is just ridiculous. There is no > way to revoke known-insecure (but still validly signed) software from > every vendor that supports secure boot. I agree. You can probably always get something with a valid signature and a code execution bug running... Ansgar
