Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] best practices - roundup

Maxim Kammerer mk at
Tue Oct 9 15:55:06 PDT 2012

On Wed, Oct 10, 2012 at 12:16 AM, Jacob Appelbaum <jacob at> wrote:
> Exciting and congratulations.

Thanks, getting it to work was a real pain. PAX / grsecurity kernel
patches had UEFI-related bugs, and the most suitable UEFI signing tool
(sbsigntool) lacked support for 32-bit EFI binaries. All of this is
now fixed / integrated upstream (sbsigntool is used in Ubuntu, by the

> What is your plan for Secure Boot related signatures? It seems like a
> real pain for a lot of distros and a real pain for users to setup,
> especially those without an understanding of cryptography at a high level.

Liberté ships its own Secure Boot certificate, which signs the GRUB
bootloader, and the trusted chain continues from there. After
experimenting with Secure Boot in OVMF builds, I think that enrolling
such a certificate is not difficult — it is not more difficult than
changing the order of boot devices in BIOS, for instance (back then
before a menu could be invoked by pressing a key). Most controversy
about Secure Boot support in Linux one finds online is about making
the process completely transparent for users, which requires either
using Microsoft-signed binaries (Fedora) / intermediate certificate,
or embedding one's keys in firmware (Ubuntu). If you forgo the
requirement of complete boot transparency, which I think is reasonable
for a special-purpose live distribution, using an own certificate is
an obvious choice.

Maxim Kammerer
Liberté Linux:

More information about the liberationtech mailing list