Re: UEFI Secure Boot - the plan for stretch
- To: Steve McIntyre <steve@einval.com>
- Cc: debian-efi@lists.debian.org, Colin Watson <cjwatson@debian.org>, micah anderson <micah@debian.org>, Steve Langasek <vorlon@debian.org>, Ben Hutchings <ben@decadent.org.uk>, pabs@debian.org, lfaraone@debian.org, debian-admin@lists.debian.org, ftpmaster@debian.org
- Subject: Re: UEFI Secure Boot - the plan for stretch
- From: Tollef Fog Heen <tfheen@err.no>
- Date: Sat, 02 Apr 2016 01:38:26 +0200
- Message-id: <[🔎] 8760w0lx1p.fsf@xoog.err.no>
- Mail-followup-to: Steve McIntyre <steve@einval.com>, debian-efi@lists.debian.org, Colin Watson <cjwatson@debian.org>, micah anderson <micah@debian.org>, Steve Langasek <vorlon@debian.org>, Ben Hutchings <ben@decadent.org.uk>, pabs@debian.org, lfaraone@debian.org, debian-admin@lists.debian.org, ftpmaster@debian.org
- In-reply-to: <[🔎] 20160401133517.GC31407@einval.com> (Steve McIntyre's message of "Fri, 1 Apr 2016 14:35:17 +0100")
- References: <[🔎] 20160401133517.GC31407@einval.com>
]] Steve McIntyre
First of all, thanks for poking about this. It's been moving forward,
though slowly.
> 1. Generate a key and an EV code-signing cert, submit to Microsoft
> ==================================================================
>
> This needs an RSA 2048 key. The process: we generate the key and the
> self-signed certificate of the correct form, which is embedded in the
> shim package that is then submitted to Microsoft. The signing request
> requires obtaining an EV code-signing cert, and then this has to be
> uploaded via Windows to Microsoft.
>
> Tollef was organising an HSM (Yubikey $thing) to make this more
> secure. Exact details on key management are yet TBD - we had
> discussions about an N-of-M keyholder scheme similar-ish to what
> Ubuntu do.
The yubikeys have generously been sponsored by Yubico and we now have a
small pile in franck.
One of the keys in franck will include the day-to-day signing key and
cert, we'll have that cert be issued by a CA which is kept offline. The
cert of the offline CA is what we'll embed in shim.
In addition, I'll generate a key and get an EV code signing cert issued.
The DPL authorised that expenditure a little while ago.
> 4. Updates for other core packages to add signed versions
> =========================================================
>
> Once we have our key ready and dak support added, we'll be able to
> upload things and get them signed automatically to create $foo-signed
> packages. Expected packages here:
>
> * grub2
> * linux
> * fwupdate
> * ???
I'd love to see SB support in ipxe too, but that probably requires
upstream changes.
> So, can we have updates on anything that people have achieved so far
> please? Tollef told me that he's got somewhere with the Yubikey, so
> hopefully we can get going using that base?
I've poked at this tonight for a bit, but I keep running into trouble
with pesign when trying to actually sign something, so while I could
generate the certs and such today, I'd rather not until I have
successfully signed something using a self-generated cert.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: