wiki icon indicating copy to clipboard operation
wiki copied to clipboard

Published 20 hours ago verified publisher icon AlmaLinux

Add secure boot key generation and handling guide

Open jonathanspw opened this issue 1 year ago • 4 comments
trafficstars

This PR adds documentation on how we generate and handle secure boot private keys and certificates. Users may be interested or concerned with this process to ensure we're doing everything we can to ensure security of our keys and subsequently their data.

jonathanspw avatar May 06 '24 20:05 jonathanspw

This looks super straight forward to me, though definitely long and tedious, as it says. :D

I'd like to see also included:

* who is responsible for this key generation

I hesitate to add such a specific for the same reason I didn't include who the actual key holders are. It makes them a target.

* who is responsible for this document

I suppose this technically should be inherited by ALESCo. Will come up with some wording.

* also include a `last updated` date at the top of the doc that gets incremented when/if it's updated in the future, [matching the format that we use for other stuff](https://github.com/AlmaLinux/wiki/blob/master/docs/Contribute-to-Documentation.md):
last updated: YYYY-MM-DD

How about we extend that further with a versioning of the document. Since it may change over time it could be useful to say "AlmaLinux 10 keys were generated with the guide updated YYYY-MM-DD. AlmaLinux 11 keys were generated with YYYY-MM-DD, etc.".

jonathanspw avatar May 06 '24 20:05 jonathanspw

I hesitate to add such a specific for the same reason I didn't include who the actual key holders are. It makes them a target. ... I suppose this technically should be inherited by ALESCo. Will come up with some wording.

I think indicating that it's a process overseen by ALESCo would be good enough for me. Definitely opposed to naming the actual key owners.

How about we extend that further with a versioning of the document. Since it may change over time it could be useful to say "AlmaLinux 10 keys were generated with the guide updated YYYY-MM-DD. AlmaLinux 11 keys were generated with YYYY-MM-DD, etc.".

Works for me, as long as we also include the last-updated date!

bennyvasquez avatar May 06 '24 20:05 bennyvasquez

@bennyvasquez all feedback implemented.

jonathanspw avatar May 07 '24 19:05 jonathanspw

@codyro @andrewlukoshko before we merge this one I'd like your official reviews/approvals

bennyvasquez avatar May 10 '24 15:05 bennyvasquez