Re: shim-signed

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: shim-signed
From: Steve McIntyre <steve@einval.com>
Date: Thu, 28 Apr 2022 17:17:14 +0100
Message-id: <[🔎] E1nk6pO-0002rJ-5P@mail.einval.com>
In-reply-to: <[🔎] 62687348.3070401@fastmail.fm>
References: <[🔎] 20220419002746.GT14939@tack.einval.com> <[🔎] CAGEayXOsfuWpwRVYO0Z7LhM7vNSJP4xJo+P0a0LsvhGYa7RaHw@mail.gmail.com> <[🔎] 877d7hwk91.fsf@hands.com> <[🔎] 877d7hwk91.fsf@hands.com> <[🔎] E1niCtr-007gWR-VN@drop.zugschlus.de> <[🔎] E1niJS7-0004RU-2Y@mail.einval.com> <[🔎] E1njLx4-009A3j-ET@drop.zugschlus.de> <[🔎] Ymg88cCmcPuI3tAA@shell.thinkmo.de> <[🔎] 1781de1225c3c7e3cb3b400d38bccdd48f990f8b.camel@debian.org> <[🔎] 1781de1225c3c7e3cb3b400d38bccdd48f990f8b.camel@debian.org>

The Wanderer wrote:
>On 2022-04-26 at 18:05, Paul Wise wrote:
>
>> On Tue, 2022-04-26 at 20:41 +0200, Bastian Blank wrote:
>> 
>>> secure boot signing process at Microsoft is a review-sign process
>> 
>> What kind of review are Microsoft doing of the Debian shim?
>> 
>> Are they reviewing the source and checking for a reproducible build?
>
>I'd be curious to have a more in-depth answer to this, myself.
>
>My understanding has always been that they check to make sure that what
>they're signing is not visibly malicious, and in most cases also that it
>can't chain to load something else (which isn't signed, and might be
>malicious). Since the entire purpose of the shim - at least as I
>understand it - is to chain to load something else, clearly either that
>understanding is not correct, or they're making an exception for the
>case of the shim.

Microsoft themselves *don't* do direct code review of the shim
submissions; they acknowledged some time ago that they didn't have
direct knowledge good enough to make this sensible. Instead, there is
a team of trusted distro maintainers who have stepped up to revies
submissions. See

  * https://github.com/rhboot/shim-review
  * https://github.com/rhboot/shim/wiki

for more information about what we look for. Every single patch that's
applied to a signed shim will be reviewed by the community, and we
also want to see what patches people have aplied to Grub, Linux,
etc. too.

We need a reproducible build for shim so that we can check that the
shipped binary for signing matches what we can rebuild ourselves.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"We're the technical experts.  We were hired so that management could
 ignore our recommendations and tell us how to do our jobs."  -- Mike Andrews

Reply to:

References:
- Firmware - what are we going to do about it?
  - From: Steve McIntyre <steve@einval.com>
- Re: Firmware - what are we going to do about it?
  - From: Leandro Cunha <leandrocunha016@gmail.com>
- Re: Firmware - what are we going to do about it?
  - From: Philip Hands <phil@hands.com>
- shim-signed (was: Firmware - what are we going to do about it?)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Steve McIntyre <steve@einval.com>
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Bastian Blank <waldi@debian.org>
- Re: shim-signed (was: Firmware - what are we going to do about it?)
  - From: Paul Wise <pabs@debian.org>
- Re: shim-signed
  - From: The Wanderer <wanderer@fastmail.fm>

Prev by Date: Bug#1010309: ITP: node-ws-iconv -- A set of filesystem-related functions for NodeJS
Next by Date: Re: shim-signed
Previous by thread: Re: shim-signed
Next by thread: Re: shim-signed
Index(es):
- Date
- Thread