[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

UEFI Secure Boot - the plan for stretch

Hey folks,

We've been *slowly* working towards this for a while. Let's see where
we're up to and exactly what still needs doing. I've been asked by
several people for a public update, and I've had multiple offers of
help if it's useful.

We've agreed on the path to follow, and as far as I know we have most
of the bits either in place or readily available by borrowing from
others' implementations. There's a wiki page at
https://wiki.debian.org/SecureBoot about this, including the tasks we
identified. To summarise:

1. Generate a key and an EV code-signing cert, submit to Microsoft

This needs an RSA 2048 key. The process: we generate the key and the
self-signed certificate of the correct form, which is embedded in the
shim package that is then submitted to Microsoft. The signing request
requires obtaining an EV code-signing cert, and then this has to be
uploaded via Windows to Microsoft.

Tollef was organising an HSM (Yubikey $thing) to make this more
secure. Exact details on key management are yet TBD - we had
discussions about an N-of-M keyholder scheme similar-ish to what
Ubuntu do.

Steve Langasek to include the public key and cert in a shim package
for Debian, upload it and get it in the archive.

Whoever controls the EV cert extracts the shim binary, puts it into a
cab, signs that with the EV cert and uploads the result.

2. dak changes to support upload and signing of EFI executables

Colin pointed at the code in launchpad as inspiration:


and gave us a WIP dak patch. Luke (was?) volunteered to investigate
the dak work.

3. Prepare and upload a package of the 'shim' EFI boot loader

This will embed our own set of public keys (corresponding to those
used by dak) and can load any other EFI executable signed by one of
them.  Later, there will be a additional shim-signed package
containing the same executable with a Microsoft signature.  (This
costs money and takes several days, but shim should require only very
infrequent changes.)

Steve Langasek said he was happy to do this once we've got the rest of
the process started and we have a certificate ready to embed.

4. Updates for other core packages to add signed versions

Once we have our key ready and dak support added, we'll be able to
upload things and get them signed automatically to create $foo-signed
packages. Expected packages here:

 * grub2
 * linux
 * fwupdate
 * ???

5. Minor tweaks to other places to make use of the signed packages

 * d-i
 * debian-cd
 * debian-live
 * ???

So, can we have updates on anything that people have achieved so far
please? Tollef told me that he's got somewhere with the Yubikey, so
hopefully we can get going using that base?

Steve McIntyre, Cambridge, UK.                                steve@einval.com
You lock the door
And throw away the key
There's someone in my head but it's not me 

Attachment: signature.asc
Description: Digital signature

Reply to: