Comment 15 for bug 1696154
Revision history for this message
| Steve Langasek (vorlon) wrote Re: [17.10 FEAT] Sign POWER host/NV kernels | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Does IBM have any feedback for us regarding the test kernel Andy provided?
We have generated an online signing key to be included in db for OPAL. In the absence of feedback about whether 4096-bit keys are supported, we have generated a 2048-bit key.
Our current plan for secure delivery of the public key to IBM is to deliver the keys in person to George next month. Does this timeline fit IBM's needs for receipt of the public keys? Does it meet your expectations for a trust path for the keys, or is there another protocol that should be used?
In your reply of August 1, you wrote:
> However, in order to add a certificate to DB, the certificate should be
> signed by any of the KEK entries. The PK will be used to authorize updates
> to the KEK certificate list.
Can you please clarify if this means you are expecting the db entry to be delivered as an x509 certificate issued by the CA key listed in KEK, or if it should be delivered according to the format defined in the UEFI spec for authenticated variable updates?