Re: shim-signed (was: Firmware - what are we going to do about it?)

To: debian-devel@lists.debian.org
Subject: Re: shim-signed (was: Firmware - what are we going to do about it?)
From: Marc Haber <mh+debian-devel@zugschlus.de>
Date: Tue, 26 Apr 2022 16:14:02 +0200
Message-id: <[🔎] E1njLx4-009A3j-ET@drop.zugschlus.de>
In-reply-to: <[🔎] E1niJS7-0004RU-2Y@mail.einval.com>
References: <[🔎] 20220419002746.GT14939@tack.einval.com> <[🔎] CAGEayXOsfuWpwRVYO0Z7LhM7vNSJP4xJo+P0a0LsvhGYa7RaHw@mail.gmail.com> <[🔎] 877d7hwk91.fsf@hands.com> <[🔎] 877d7hwk91.fsf@hands.com> <[🔎] E1niCtr-007gWR-VN@drop.zugschlus.de> <[🔎] E1niJS7-0004RU-2Y@mail.einval.com>

On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre <steve@einval.com>
wrote:
>We don't have good docs around this in general (hey, it's security
>software - it's against the law to write good and complete docs!), but
>I've certainly discussed this with a few folks over the years.

It would be great to have that written down somewhere to tell poeple
what they're actually doing.

>Alternatively, people can build replacement shim-signed packages using
>their own root of trust if desired. If we had a large enough number of
>users wanting a different root of trust, we could even offer our own
>different shim-signed package to match.

I would probably prefer to have grub an/or the kernel signed, avoiding
additional code, but maybe having some explanation would convince me
that the shim actually improves things additionally to adding
complexity.

>Better than that, our shim-signed source package always double-checks
>things here. At build time it removes the Microsoft signature and
>compares that shim binary to the binary that we submitted for
>signing. We would spot immediately if there was any code added.

And if that check fails at build time, the Debian process refrains
from putting a Debian signature on the deb and from uploading? Can the
end user build the shim herself, remove the signature from the signed
shim and compare the binary, preferably in a documented way?

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Reply to:

Follow-Ups:
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Steve McIntyre <steve@einval.com>
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Bastian Blank <waldi@debian.org>
- Re: shim-signed
  - From: The Wanderer <wanderer@fastmail.fm>

References:
- Firmware - what are we going to do about it?
  - From: Steve McIntyre <steve@einval.com>
- Re: Firmware - what are we going to do about it?
  - From: Leandro Cunha <leandrocunha016@gmail.com>
- Re: Firmware - what are we going to do about it?
  - From: Philip Hands <phil@hands.com>
- shim-signed (was: Firmware - what are we going to do about it?)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: shim-signed (was: Firmware - what are we going to do about it?)
Next by Date: Bug#1010210: ITP: orthanc-neuro -- Neuroimaging plugin for Orthanc
Previous by thread: Re: shim-signed (was: Firmware - what are we going to do about it?)
Next by thread: Re: shim-signed (was: Firmware - what are we going to do about it?)
Index(es):
- Date
- Thread