[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Secure Boot - the plan for stretch

On Sat, Apr 02, 2016 at 01:38:26AM +0200, Tollef Fog Heen wrote:
>]] Steve McIntyre 
>First of all, thanks for poking about this.  It's been moving forward,
>though slowly.
>> 1. Generate a key and an EV code-signing cert, submit to Microsoft
>> ==================================================================
>> This needs an RSA 2048 key. The process: we generate the key and the
>> self-signed certificate of the correct form, which is embedded in the
>> shim package that is then submitted to Microsoft. The signing request
>> requires obtaining an EV code-signing cert, and then this has to be
>> uploaded via Windows to Microsoft.
>> Tollef was organising an HSM (Yubikey $thing) to make this more
>> secure. Exact details on key management are yet TBD - we had
>> discussions about an N-of-M keyholder scheme similar-ish to what
>> Ubuntu do.
>The yubikeys have generously been sponsored by Yubico and we now have a
>small pile in franck.
>One of the keys in franck will include the day-to-day signing key and
>cert, we'll have that cert be issued by a CA which is kept offline.  The
>cert of the offline CA is what we'll embed in shim.
>In addition, I'll generate a key and get an EV code signing cert issued.
>The DPL authorised that expenditure a little while ago.

OK, excellent. Please keep us updated.


>> 4. Updates for other core packages to add signed versions
>> =========================================================
>> Once we have our key ready and dak support added, we'll be able to
>> upload things and get them signed automatically to create $foo-signed
>> packages. Expected packages here:
>>  * grub2
>>  * linux
>>  * fwupdate
>>  * ???
>I'd love to see SB support in ipxe too, but that probably requires
>upstream changes.

Yup. I'm told that the main upstream developer lives in Cambridge,
even. I'll get in touch.

>> So, can we have updates on anything that people have achieved so far
>> please? Tollef told me that he's got somewhere with the Yubikey, so
>> hopefully we can get going using that base?
>I've poked at this tonight for a bit, but I keep running into trouble
>with pesign when trying to actually sign something, so while I could
>generate the certs and such today, I'd rather not until I have
>successfully signed something using a self-generated cert.


Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Managing a volunteer open source project is a lot like herding
 kittens, except the kittens randomly appear and disappear because they
 have day jobs." -- Matt Mackall

Reply to: