Re: shim-signed (was: Firmware - what are we going to do about it?)
On Sat, 23 Apr 2022 13:54:59 +0200, Ansgar <ansgar@43-1.org> wrote:
>On Sat, 2022-04-23 at 12:21 +0200, Marc Haber wrote:
>> >Is the presence of shim-signed on the install media enough to make
>> >people feel somehow contaminated?
>>
>> I think so, yes. Personally, I don't care too much but i can
>> understand why some people might.
>
>Why?
If only I knew. I myself don't feel to comfortable to rely on
Microsoft being able to pull the plug on us any time. I don't know
whether they can, but I imagine some kind of revocation mechanism
being in place.
And it's anther lay of indirection. While RFC compliant (1925, 6a)
this introduces another possible attach vector since shim-signed might
have to do its own check about the kernel to load. I do not know zilch
about the shim, but this might be an issue for people.
> Because it contains a third-party signature for which the private
>key is not included in Debian? The same is true for signatures in
>debian-archive-keyring, debian-keyring, ca-certificates, wireless-
>regdb, and many other packages.
A running system doesn't rely on any of those.
>If we were to include more signatures in binary packages (e.g., a
>signed manifest listing files (with hashes) shipped by the package,
>signed executables, an embedded signature for the .deb itself), would
>that be a problem?
>
>We do include signatures for source packages (*.dsc and also for
>upstream tarballs) as well.
I would LOVE to have an easier possibility to check the actual
uploader's signature for anything in the archive short of squatting on
every changes file ever visible.
>> We can compile shim-signed and compare the signed code with our own
>> object code, can't we? That we we would only have to worry about the
>> validity and benignness of the signature and not worry about having
>> undocumented functionality in the signed code.
>
>Debian's buildds build shim (binary package: shim-unsigned); the binary
>generated by Debian is then signed by Microsoft's key.
And we have a mechanism to check whether the code is actually the
same?
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: