Hey folks, We've been *slowly* working towards this for a while. Let's see where we're up to and exactly what still needs doing. I've been asked by several people for a public update, and I've had multiple offers of help if it's useful. We've agreed on the path to follow, and as far as I know we have most of the bits either in place or readily available by borrowing from others' implementations. There's a wiki page at https://wiki.debian.org/SecureBoot about this, including the tasks we identified. To summarise: 1. Generate a key and an EV code-signing cert, submit to Microsoft ================================================================== This needs an RSA 2048 key. The process: we generate the key and the self-signed certificate of the correct form, which is embedded in the shim package that is then submitted to Microsoft. The signing request requires obtaining an EV code-signing cert, and then this has to be uploaded via Windows to Microsoft. Tollef was organising an HSM (Yubikey $thing) to make this more secure. Exact details on key management are yet TBD - we had discussions about an N-of-M keyholder scheme similar-ish to what Ubuntu do. Steve Langasek to include the public key and cert in a shim package for Debian, upload it and get it in the archive. Whoever controls the EV cert extracts the shim binary, puts it into a cab, signs that with the EV cert and uploads the result. 2. dak changes to support upload and signing of EFI executables =============================================================== Colin pointed at the code in launchpad as inspiration: https://git.launchpad.net/launchpad/tree/lib/lp/archivepublisher/uefi.py https://git.launchpad.net/launchpad/tree/lib/lp/archivepublisher/tests/test_uefi.py and gave us a WIP dak patch. Luke (was?) volunteered to investigate the dak work. 3. Prepare and upload a package of the 'shim' EFI boot loader ============================================================= This will embed our own set of public keys (corresponding to those used by dak) and can load any other EFI executable signed by one of them. Later, there will be a additional shim-signed package containing the same executable with a Microsoft signature. (This costs money and takes several days, but shim should require only very infrequent changes.) Steve Langasek said he was happy to do this once we've got the rest of the process started and we have a certificate ready to embed. 4. Updates for other core packages to add signed versions ========================================================= Once we have our key ready and dak support added, we'll be able to upload things and get them signed automatically to create $foo-signed packages. Expected packages here: * grub2 * linux * fwupdate * ??? 5. Minor tweaks to other places to make use of the signed packages ================================================================== * d-i * debian-cd * debian-live * ??? So, can we have updates on anything that people have achieved so far please? Tollef told me that he's got somewhere with the Yubikey, so hopefully we can get going using that base? -- Steve McIntyre, Cambridge, UK. steve@einval.com You lock the door And throw away the key There's someone in my head but it's not me
Attachment:
signature.asc
Description: Digital signature