SecureBoot Keys

[xnox]

Are there any signatures on the kernel?

Or should I self sign & enroll?

Even ephemeral keys one would help.

[stgraber]

Currently it's all ephemeral keys at build time, but I think we should be able to generate a key, dump it as a Github Actions Secret and have the kernel build use that instead.

As everything is built on private Github Runners (ephemeral Github instances), that should be fine, so long as Github itself doesn't get compromised (but then we'd have other problems).

[xnox]

Honestly I would be very happy to get ephemeral Sigstore Cosign cert that has 15min validity https://docs.sigstore.dev/quickstart/quickstart-cosign/ to embed as trusted cert into kernel; and sign the kernel and modules with it. (and use faketime to keep the signing time within the validity time, cause kexec checks that). And then such cert is easy to include into moklist to trust.

Also hoping in the future to have sigstore policies in kernel to allow users to specify "trust sigstore cert with these attestations".