[ Note CCs to multiple lists - we know multiple groups of people have
an interest in this... ]
Hi folks,
We have issues with the setup of the shim and shim-signed packages in
unstable at the moment, which is quite awkward to fix. See #922179 for
the original bug report.
shim and shim-signed have an ... awkward relationship, which causes us
multiple problems at the moment.
1. shim is the primary source package, building one binary package
which included several EFI binaries - the shimx64.efi binary
itself, plus two helpers (fbx64.efi.signed and
mmx64.efi.signed)
2. shimx64.efi is the EFI binary that is submitted to Microsoft
for signing - it's the core of our Secure Boot implementation
(like all Linux distros)
2b. The MS-signed binary (shimx64.efi.signed) is shipped in the
shim-signed source package and passed through to the
shim-signed binary package
2c. The shim-signed source package validates that the binary
matches what we built in shim, and checks the signature
applies..
3. For $reasons, the existing shim-signed binary package has a
strict versioned dependency on the shim binary package to pull
in the helper binaries for installation. We are very much
planning on fixing this, but this is the historical setup.
4. As requested, Steve Langasek uploaded a new upstream version of
shim to unstable (15+1533136590.3beb971-2, which is there right
now).
5. Until we get an MS signature on a new shim binary, we will
*not* have a matching shim-signed binary package, so for now we
still have the *old* (1.28+nmu1+0.9+1474479173.6c180c6-1)
shim-signed binary and source in unstable.
6. Everything works OK right now in buster, but...
7. Right now, shim-signed is not installable in sid, which means that:
7a. People can't test SB in unstable
7b. (Worse) as shim-signed is a build-dep for d-i on amd64 (to be
able to make SB-compatible installer images) we currently
can't build d-i
8. We don't have an ETA for a new signature from MS which would
unblock us. At *best*, we're expecting a few weeks. It's out of
our control.
FTAOD: this dependency problem has been here as a time bomb ever since
day 1 of shim in Debian. We just haven't ever noticed as nobody was
using these packages until very recently. Apologies for not spotting
the problem before we uploaded newer versions and triggered
this. AFAIK Ubuntu have got away with a very similar configuration due
to a different archive setup.
We're planning on redoing the packaging to get away from these
problems ASAP so this problem will not recur. However, fixing things
cleanly now is not easy:
1. We can't simply re-upload a new shim source package to get a
new shim binary with the same version number as the old one
2. The old version of the shim binary package is encoded in the
dependencies of the shim-signed binary package
3. We cannot reproduce the shimx64.efi EFI binary if we rebuild
it today (Cyril has tried multiple ways), so we *cannot*
simply upload a new shim source package and hope...
So, we're looking at three hacky options options here to work our way
out of this hole. In (probably?) descending order of hackitude:
1. Ask the nice ftpmaster people to bodge the archive by hand:
1a. Remove the current shim source and binary packages from
unstable (version 15+1533136590.3beb971-2)
1b. Copy the older source and binary from buster back into
unstable for us.
1c. We're not even sure if this is *possible*, let alone a nice
thing to do - thoughts?
1d. Expecting that this might break all kinds of tools inside and
outside of the archive maybe?
OR
2. Upload new bodged versions of shim and shim-signed to get us
back to working with the previously-signed shimx64.efi.signed
binary
2a. Create new shim and shim-signed source packages, along with
matching binary packages.
2b. These binary packages will contain the *exact* same EFI
binaries as we have in buster but with a higher version number
in the packaging.
2c. As we cannot *exactly* reproduce the binaries sensibly, we
will have to hand-hack the contents of the binary packages.
2d. We *know* this is grotty too, but we can at least make this
work entirely at a package level.
2e. Already tested and working: Cyril has built packages like this
and I have tested the results successfully on my test SB
system here.
Current versions in buster:
- shim:
- source: 0.9+1474479173.6c180c6-1
- binary: 0.9+1474479173.6c180c6-1
- shim-signed:
- source: 1.28+nmu1
- binary: 1.28+nmu1+0.9+1474479173.6c180c6-1
Possible versions targetting sid:
- shim:
- source: 16+1474479173.6c180c6-1 (bumped “epoch-like” N+
prefix, but same contents as 0.9+1474479173.6c180c6-1)
- binary: 16+1474479173.6c180c6-1
- shim-signed:
- source: 1.28+nmu2 (new upload to adjust the Depends)
- binary: 1.28+nmu2+16+1474479173.6c180c6-1
OR
3. Upload new version of the shim-signed source package and a
(lightly) bodged binary package
3a. Use versions:
- source: 1.28+nmu2
- binary: 1.28+nmu2+0.9+1474479173.6c180c6-1
3b. Needs as build-deps an old version of sbsigntool (0.6-3.2) and
specifically version 0.9+1474479173.6c180c6-1 of shim in the
build chroot
3c. Then upload source+amd64
3d. New shim-signed binary package changes in a few ways:
* new version of the binary now include fbx64.efi.signed and
mmx64.efi.signed (copied across from the shim binary package)
* add Replaces: shim (= 0.9+1474479173.6c180c6-1) so we don't
conflict on those binaries
* remove Depends: shim (the whole point!)
* change Build-Depends to list the specific versions used for
shim and sbsigntool
3e. Already tested and working. I built this (source and binary
debdiffs attached) and tested OK on SB system
3f. This package is instantly RC-buggy due to the unavailable
build-deps. We know...
I'm deliberately notifying a number of likely interested teams here
about this problem and our three suggested solutions, so we can get
feedback and work out the best way forwards. If somebody else can
think of a better solution than any of our three suggestions, we'd
love to hear it!
As I said, we'll be uploading new packages with a better relationship
to fix this problem for future versions. That will become even more
important as we extend SB support to more than simply amd64
systems. shim is now designed to build reproducibly, which will also
help us to avoid/work around any similar issues in future. We will
also be integrating support for Debian's new signing service (to sign
the helper binaries in a better manner).
So, please - what do you think?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
whether they're being malicious or incompetent. Capital letters are forecast."
Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
(buster-amd64-devel)kibi@armor:~/work/bsp/secure-boot/redo$ (debdiff shim_*.dsc; echo; echo =====; echo; debdiff shim_*.deb; echo; echo ====; echo; debdiff shim-signed_*.dsc; echo; echo ====; echo; debdiff shim-signed_*.deb) 2>/dev/null
diff -Nru shim-0.9+1474479173.6c180c6/debian/changelog shim-16+1474479173.6c180c6/debian/changelog
--- shim-0.9+1474479173.6c180c6/debian/changelog 2016-10-15 13:17:34.000000000 +0000
+++ shim-16+1474479173.6c180c6/debian/changelog 2019-03-03 20:54:44.000000000 +0000
@@ -1,3 +1,17 @@
+shim (16+1474479173.6c180c6-1) unstable; urgency=medium
+
+ * Re-upload 0.9+1474479173.6c180c6-1 with a version number that's higher
+ than 15+1533136590.3beb971-1, superseding the version currently in
+ unstable that has no matching shim-signed packages with updated
+ signatures (See: #922179).
+ * The shim binary package isn't actually getting rebuilt with this upload,
+ as it cannot be built reproducibly; this would invalidate the signature
+ shipped in the shim-signed package. So this new source package is
+ accompanied by the old binary package (from 0.9+1474479173.6c180c6-1),
+ repacked as a newer version (16+1474479173.6c180c6-1).
+
+ -- Cyril Brulebois <kibi@debian.org> Sun, 03 Mar 2019 20:54:44 +0000
+
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
=====
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-0.9+1474479173.6c180c6-1-] {+16+1474479173.6c180c6-1+}
====
diff -Nru shim-signed-1.28+nmu1/debian/changelog shim-signed-1.28+nmu2/debian/changelog
--- shim-signed-1.28+nmu1/debian/changelog 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/changelog 2019-03-03 20:57:35.000000000 +0000
@@ -1,3 +1,14 @@
+shim-signed (1.28+nmu2) unstable; urgency=medium
+
+ * Update dependency to the repacked, old version of shim, fixing
+ installability issues. Closes: #922179.
+ * This package isn't actually rebuilt against the repacked shim as tooling
+ changed a bit (regarding how packing is handled), so the old shim-signed
+ binary (1.28+nmu1+0.9+1474479173.6c180c6-1) is repacked as well,
+ updating the following fields: Depends, Source, Version.
+
+ -- Cyril Brulebois <kibi@debian.org> Sun, 03 Mar 2019 20:57:35 +0000
+
shim-signed (1.28+nmu1) unstable; urgency=medium
* Non-maintainer upload.
====
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, shim (= [-0.9+1474479173.6c180c6-1),-] {+16+1474479173.6c180c6-1),+} grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
Source: shim-signed [-(1.28+nmu1)-] {+(1.28+nmu2)+}
Version: [-1.28+nmu1+0.9+1474479173.6c180c6-1-] {+1.28+nmu2+16+1474479173.6c180c6-1+}
No differences were encountered between the postinst files
No differences were encountered between the postrm files
No differences were encountered between the templates files
No differences were encountered between the triggers files
diff -Nru shim-signed-1.28+nmu1/Makefile shim-signed-1.28+nmu2/Makefile
--- shim-signed-1.28+nmu1/Makefile 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/Makefile 2019-03-03 22:27:43.000000000 +0000
@@ -9,6 +9,8 @@
cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed
sbattach --attach build/detached-sig build/shimx64.efi.signed
cmp shimx64.efi.signed build/shimx64.efi.signed
+ cp /usr/lib/shim/fbx64.efi.signed build
+ cp /usr/lib/shim/mmx64.efi.signed build
clean:
rm -rf build
diff -Nru shim-signed-1.28+nmu1/debian/changelog shim-signed-1.28+nmu2/debian/changelog
--- shim-signed-1.28+nmu1/debian/changelog 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/changelog 2019-03-03 22:33:41.000000000 +0000
@@ -1,3 +1,16 @@
+shim-signed (1.28+nmu2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Copy the helper binaries from the shim binary so that we no longer
+ need to depend on it. See #922179 for more details. Add a Replaces:
+ shim and to allow us to over-write binaries there.
+ * Explicitly uploading in a chroot with older binaries installed for
+ shim and sbsigntool, and update Build-Depends to point to those
+ speficic versions. This package will *not* function with other
+ versions installed.
+
+ -- Steve McIntyre <93sam@debian.org> Sun, 03 Mar 2019 22:33:41 +0000
+
shim-signed (1.28+nmu1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru shim-signed-1.28+nmu1/debian/control shim-signed-1.28+nmu2/debian/control
--- shim-signed-1.28+nmu1/debian/control 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/control 2019-03-03 22:33:41.000000000 +0000
@@ -2,12 +2,19 @@
Section: utils
Priority: optional
Maintainer: Steve Langasek <vorlon@debian.org>
-Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
+Build-Depends: debhelper (>= 9),
+# Need shim version 0.9+1474479173.6c180c6-1 so we can check the
+# signature on the right version of shim
+ shim (= 0.9+1474479173.6c180c6-1),
+# sbsigntool version 0.6-3.2 (newer versions do different things with
+# padding and the signatures don't match correctly)
+ sbsigntool (= 0.6-3.2), po-debconf
Standards-Version: 3.9.4
Package: shim-signed
Architecture: amd64
-Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Depends: ${misc:Depends}, grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Replaces: shim (= ${shim:Version})
Recommends: secureboot-db
Built-Using: shim (= ${shim:Version})
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
diff -Nru shim-signed-1.28+nmu1/debian/rules shim-signed-1.28+nmu2/debian/rules
--- shim-signed-1.28+nmu1/debian/rules 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/rules 2019-03-03 22:33:41.000000000 +0000
@@ -8,6 +8,11 @@
docdir := debian/shim-signed/usr/share/doc/shim-signed
+override_dh_install:
+ dh_install
+ cp /usr/lib/shim/fbx64.efi.signed debian/shim-signed/usr/lib/shim
+ cp /usr/lib/shim/mmx64.efi.signed debian/shim-signed/usr/lib/shim
+
override_dh_installchangelogs:
dh_installchangelogs
# Quieten lintian, which otherwise gets confused by our odd version
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-------------------------------------
-rw-r--r-- root/root /usr/lib/shim/fbx64.efi.signed
-rw-r--r-- root/root /usr/lib/shim/mmx64.efi.signed
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: debconf (>= 0.5) | debconf-2.0, [-shim (= 0.9+1474479173.6c180c6-1),-] grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
Installed-Size: [-1186-] {+2399+}
{+Replaces: shim (= 0.9+1474479173.6c180c6-1)+}
Source: shim-signed [-(1.28+nmu1)-] {+(1.28+nmu2)+}
Version: [-1.28+nmu1+0.9+1474479173.6c180c6-1-] {+1.28+nmu2+0.9+1474479173.6c180c6-1+}
Attachment:
signature.asc
Description: PGP signature