Please provide a UEFI vars template with snakeoil keys pre-enrolled
Bug #1850848 reported by
Steve Langasek
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
edk2 (Ubuntu) |
Fix Released
|
Undecided
|
dann frazier |
Bug Description
The UC20 team is working on integration testing of images with TPM-backed full-disk encryption, and as part of this, Chris is currently rebuilding edk2 from source to inject his own signing keys into the SecureBoot db.
Instead of doing this downstream, it would be better to have the edk2 package provide an additional SecureBoot vars file that is preloaded with a snakeoil key (i.e., a key whose private part is shipped in the source - NOT generated at package build-time, but statically shipped - and which is also shipped in the binary package so that users can make use of it).
There should be snakeoil keys for both db and KEK at least (and PK if that's required?).
description: | updated |
tags: | added: id-5dbb3440624d815a2715c706 |
Changed in edk2 (Ubuntu): | |
status: | New → In Progress |
tags: | added: patch |
Changed in edk2 (Ubuntu): | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
@Dannf - as first triage step I'd like to check with you if you if you will take a look at this in Debian (as most of the time) and we just sync?