[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Secure Boot - the plan for stretch

]] Steve McIntyre 

> This needs an RSA 2048 key. The process: we generate the key and the
> self-signed certificate of the correct form, which is embedded in the
> shim package that is then submitted to Microsoft. The signing request
> requires obtaining an EV code-signing cert, and then this has to be
> uploaded via Windows to Microsoft.
> Tollef was organising an HSM (Yubikey $thing) to make this more
> secure. Exact details on key management are yet TBD - we had
> discussions about an N-of-M keyholder scheme similar-ish to what
> Ubuntu do.

I've now gotten to the point of actually being able to sign binaries,
with the key stored on a yubikey, so that's pretty promising.

I ran out of steam after this, so I haven't actually tested it, but it
sure looks promising:

$ pesign -S -i signed.efi
certificate address is 0x7f52e4841808
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Debian Test Secure Boot Signer 2
No signer email address.
Signing time: Tue Apr 19, 2016
There were certs or crls included.

I'm going to see if I can make this work correctly over the next couple
of days, and assuming it works fine, other folks should be unblocked

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: