Re: Xen, Fedora, and UEFI Secure Boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2012-07-06 at 16:44 +0100, M A Young wrote: 
> Another good article I stumbled upon about what Fedora plans is at 
> http://mjg59.dreamwidth.org/12368.html
> 
Yep, I found and (re)read it too. Here they are the excerpts that looked
more interesting to me:

"Instead we're writing a very simple bootloader[2]. This will do nothing
other than load a real bootloader (grub 2), validate that it's signed
with a Fedora signing key and then execute it. Using the Fedora signing
key there means that we can build grub updates in our existing build
infrastructure and sign them ourselves."

"So, we'll be moving to requiring signed kernel modules and locking down
certain aspects of kernel functionality."

"We'll be providing all the tools we use for signing our binaries, but
for obvious reasons we can't hand out our keys."

So, I might well be wrong, but that's how how understood the thing:

- what we need is the xen binaries shipped with the xen rpms to be 
   signed with the Fedora keys, just as grub2 and the linux binaries 
   will be, is that true?

- I'm not sure we can't do that by ourselves, does that "we will 
   release tools but not keys" also exclude, say, the xen packages 
   maintainer from signing stuff?

If we "just" need to sign the binary and a package maintainer and/or the
"existing build infrastructure" can sign stuff, I tend to think we
should be pretty safe...

Thoughts?

Regards,
Dario

-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://retis.sssup.it/people/faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)


Attachment: signature.asc
Description: This is a digitally signed message part

--
xen mailing list
xen@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/xen

[Index of Archives]     [Fedora General]     [Fedora Music]     [Linux Kernel]     [Fedora Desktop]     [Fedora Directory]     [PAM]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux