2019-10-31 19:18:20 |
Steve Langasek |
description |
The UC20 team is working on integration testing of images with TPM-backed full-disk encryption, and as part of this, Chris is currently rebuilding edk2 from source to inject his own signing keys into the SecureBoot db.
Instead of doing this downstream, it would be better to have the edk2 package provide an additional SecureBoot vars file that is preloaded with a snakeoil key (i.e., a key whose private part is shipped in the source - NOT generated at package build-time, but statically shipped - and which is also shipped in the binary package so that users can make use of it). |
The UC20 team is working on integration testing of images with TPM-backed full-disk encryption, and as part of this, Chris is currently rebuilding edk2 from source to inject his own signing keys into the SecureBoot db.
Instead of doing this downstream, it would be better to have the edk2 package provide an additional SecureBoot vars file that is preloaded with a snakeoil key (i.e., a key whose private part is shipped in the source - NOT generated at package build-time, but statically shipped - and which is also shipped in the binary package so that users can make use of it).
There should be snakeoil keys for both db and KEK at least (and PK if that's required?). |
|