Ben Hutchings

Report from the Debian EFI team about the support of Secure Boot on Debian

This talk is a report on the current status of the support of Secure Boot on Debian by the EFI team and what is missing. The team are going to explain the main architecture and workflow, the required changes in dak, how the signing service works and how this impacts packaging due to the new template binary packages required for the signing service.

Building Debian-based system images

There are various tools for creating system images based on Debian and its derivatives, including vmdebootstrap(2), bitbake, and live-wrapper. Each has its own pros and cons.

This is an opportunity to share practical experience, including recommendations for effective usage, traps to avoid, and lesser-known tools for this task.

What's new in the Linux kernel

The Linux kernel is under rapid development. Stable releases are made around 5 times per year, each including many new features and support for new hardware. This talk will summarise the features that have been added and enabled in the last year.

There have been many changes to Linux between 4.14 and 4.18. Some of these will require new or updated userland applications to take advantage of them. I will attempt to summarise the most interesting changes and the state of integration in Debian.

Backporting hardware support in Debian

We use several different approaches to improve hardware support during a Debian stable release:

• Updating selected drivers in the linux package
• Adding newer versions of linux and other packages to the associated backports suite
• Adding an alternate kernel version in the stable suite (etch-and-a-half, jessie LTS)

Updating selected drivers in the linux package (and other driver packages) is the best way to make new hardware support available to users, but it can require substantial development time and carries a relatively high risk of regression. I did many kernel driver backports during the stretch and wheezy releases, but haven’t found time to do so more recently.

The backports suites can provide comprehensive support for new hardware, but they are less easily available (for example, there is no official installer build using the kernel from backports). The backports suites are often the last to get security updates, and they are not maintained during the LTS period.

We’ve previously tried to add alternate kernel versions half way through a stable cycle, with limited success. For etch, the etch-and-a-half update added new versions of the Linux kernel, some X drivers, and the installer to etch shortly before the lenny release. For jessie, there were plans to improve Arm64 support in a similar way, but these were overtaken by the stretch release.

How can we do better?