[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reverted changes on https://wiki.debian.org/SecureBoot

Hi all,

On Mon, Aug 22, 2022 at 3:30 PM Pascal-liste <pascal-liste@nerim.net> wrote:
>
> Hello,
>
> Le 22/08/2022 à 02:32, Steve McIntyre wrote:
> >
> > On Tue, Aug 16, 2022 at 01:42:54PM +0800, Chew, Kean Ho wrote:
> >
> >> 4. Also, the strict "--bootloader-id=debian" condition where if it is changed
> >>     to something else, the shimx64.efi failed to locate /boot/grub.cfg. Is this
> >>     behavior a bug or expected limitation from signed shim?
> >
> > You might have tripped over grub_prefix not being set appropriately.
> > Can you describe *exactly* what setup you've tried, please? There's a
> > lot of scope for a setup mismatch here...
>
> I guess it is a known issue I already reported. The culprit is not
> shimx64.efi but the signed GRUB image grubx64.efi which has the path for
> initial grub.cfg hardcoded as /EFI/debian.
>
> grub-install --bootloader-id=somewhere
>
> will install grub.cfg and other files in /EFI/somewhere but GRUB will
> look for /EFI/debian/grub.cfg.
>
Oh no, It slipped through my ticket duplication scan. Can someone help
me close this https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017887
ticket as duplicate to the Pascal's issue? I raised it this morning
after I solidified the investigation steps.

On the bright side, at least we got one bug located.


On Mon, Aug 22, 2022 at 8:32 AM Steve McIntyre <93sam@debian.org> wrote:
> Maybe add a new page (SecureBoot/CA maybe?) and start adding
> things there?
>
Sounds great to me. I just have to place a "under construction" notice
and will build a page for it. It's better to have you review first
before removing the notice and go official.

In the meantime, I will be writing some descriptive review papers on
my personal side about the X509 Root of Trust papers to strengthen the
fact findings.


>
> >     2. Given the fact that wiki caters for all levels of users, x509
> >        itself and its maintenance is already complicated to do it
> >        securely, I really do not want to complicate Debian user
> >        experience. In the worst case scenario, I can write a
> >        technical paper and upload to Zenodo to preserve the
> >        knowledge if that's needed. Please advise.
>
> That might be a reasonable option too, of course! Sharing stuff via
> the Debian wiki is typically *my* preferred route, but I've also
> written a lump of stuff in the upstream shim wiki too:
>
>   https://github.com/rhboot/shim/wiki
>
> That might even be a better place, possibly.
GitHub wiki? Oh no no. That SecureBoot/CA is better, like a lot
better. The content is under Debian sole control.


> Aha! That path will be slightly different to the d-i path that's most
> common, and I see you've filed a bug too. More over there.
>
Yeap. Sure. Let me know what else you need. My tools are solid enough
to reproduce a build under 1 hour and can work in both liveDVD and the
current Debian system. The only thing I regretted was building the
library using BASH instead of a proper language like Go or Rust.
Otherwise, I would have open source it.

Cheers!


Regards,
Holloway
Reply to: