[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Secure Boot - the plan for stretch

]] Steve McIntyre 

First of all, thanks for poking about this.  It's been moving forward,
though slowly.

> 1. Generate a key and an EV code-signing cert, submit to Microsoft
> ==================================================================
> This needs an RSA 2048 key. The process: we generate the key and the
> self-signed certificate of the correct form, which is embedded in the
> shim package that is then submitted to Microsoft. The signing request
> requires obtaining an EV code-signing cert, and then this has to be
> uploaded via Windows to Microsoft.
> Tollef was organising an HSM (Yubikey $thing) to make this more
> secure. Exact details on key management are yet TBD - we had
> discussions about an N-of-M keyholder scheme similar-ish to what
> Ubuntu do.

The yubikeys have generously been sponsored by Yubico and we now have a
small pile in franck.

One of the keys in franck will include the day-to-day signing key and
cert, we'll have that cert be issued by a CA which is kept offline.  The
cert of the offline CA is what we'll embed in shim.

In addition, I'll generate a key and get an EV code signing cert issued.
The DPL authorised that expenditure a little while ago.

> 4. Updates for other core packages to add signed versions
> =========================================================
> Once we have our key ready and dak support added, we'll be able to
> upload things and get them signed automatically to create $foo-signed
> packages. Expected packages here:
>  * grub2
>  * linux
>  * fwupdate
>  * ???

I'd love to see SB support in ipxe too, but that probably requires
upstream changes.

> So, can we have updates on anything that people have achieved so far
> please? Tollef told me that he's got somewhere with the Yubikey, so
> hopefully we can get going using that base?

I've poked at this tonight for a bit, but I keep running into trouble
with pesign when trying to actually sign something, so while I could
generate the certs and such today, I'd rather not until I have
successfully signed something using a self-generated cert.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: