You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some hardware now ships with secureboot enabled by default, and we are currently advising disabling secureboot in the BIOS to ensure our custom kernels can boot in [1] .
We should consider signing our kernels and initram as described in [2] and ensuring the integrity of the kernel is validated prior to boot. This will require shim-signed, where we can sign the kernels at build time and enroll keys on the servers during the install process.
Description
Initially reported by https://forum.securedrop.org/t/running-handler-common-reboot-if-rquired-due-to-security-updates/1397/1:
Some hardware now ships with secureboot enabled by default, and we are currently advising disabling secureboot in the BIOS to ensure our custom kernels can boot in [1] .
We should consider signing our kernels and initram as described in [2] and ensuring the integrity of the kernel is validated prior to boot. This will require
shim-signed, where we can sign the kernels at build time and enroll keys on the servers during the install process.[1] freedomofpress/securedrop-docs#158
[2] https://gloveboxes.github.io/Ubuntu-for-Azure-Developers/docs/signing-kernel-for-secure-boot.html
The text was updated successfully, but these errors were encountered: