Re: EFI BoF at DebConf

To: debian-devel@lists.debian.org, debian-cd@lists.debian.org, debian-boot@lists.debian.org, debian-live@lists.debian.org
Subject: Re: EFI BoF at DebConf
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 31 Jul 2012 14:28:28 -0700
Message-id: <[🔎] 20120731212828.GA15683@virgil.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org, debian-cd@lists.debian.org, debian-boot@lists.debian.org, debian-live@lists.debian.org
In-reply-to: <[🔎] CAKTje6EGV4vOSw2KeQgJVQqrZsf=R6WY0GZSwUOdQjqewshGmQ@mail.gmail.com>
References: <[🔎] 20120720223413.GA15128@einval.com> <[🔎] CAKTje6EGV4vOSw2KeQgJVQqrZsf=R6WY0GZSwUOdQjqewshGmQ@mail.gmail.com>

On Tue, Jul 31, 2012 at 02:40:25PM -0600, Paul Wise wrote:

> > Here's a summary of what we discussed in the EFI BoF [1] last week
> > (9th July). Thanks to the awesome efforts of the DebConf video team,
> > the video of the session is already online [2] in case you missed
> > it. I've also attached the Gobby notes that were taken during the
> > session. Again, thanks to the people who took part - we had a useful
> > discussion.

> One thing I don't think anyone has discussed yet is how key
> transitions will work, if a distro-specific key is compromised, is the
> OS able to update the SB keys?

Any OS will be able to push signed updates to the DB and DBX variables,
adding new trusted keys or revoking keys / individual binaries.  However,
the only signed updates that will be accepted by the firmware are those
signed by keys already trusted /by the firmware/ (i.e., those present in the
kEK).  This means that in general, if you have a compromised key or
compromised binary, you need to go back to the CA (i.e., whoever is
providing a trust path back to KEK for you) and ask them to issue a
revocation.

> > Any one binary can only be signed by one key.

> Would it be possible/useful to circumvent this limitation by making
> copies of the binary and then signing them?

It's certainly straightforward to take copies of a single binary and have it
signed by multiple keys.  It's even straightforward to remove one signature
from a binary and replace it with another.  What's not straightforward is to
provide a single boot image that can reasonably make use of such things,
since UEFI boots by looking for a single well-known path to boot from.

FWIW the UEFI working group seems to consider it an oversight that only one
signature is allowed per binary, and work is afoot to correct this.  But as
with other issues, it's probably too late to make a difference for the first
iteration of hardware.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- EFI BoF at DebConf
  - From: Steve McIntyre <steve@einval.com>
- Re: EFI BoF at DebConf
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: EFI BoF at DebConf
Next by Date: Re: [SCM] d-i netcfg repository branch, people/sorina/coding_style, created. 1.65-204-g6652eb1
Previous by thread: Re: EFI BoF at DebConf
Next by thread: Bug#682319: Installation was successfully
Index(es):
- Date
- Thread