Re: UEFI Secure Boot - the plan for stretch

To: debian-efi@lists.debian.org, Colin Watson <cjwatson@debian.org>, micah anderson <micah@debian.org>, Steve Langasek <vorlon@debian.org>, Ben Hutchings <ben@decadent.org.uk>, pabs@debian.org, lfaraone@debian.org, debian-admin@lists.debian.org, ftpmaster@debian.org
Subject: Re: UEFI Secure Boot - the plan for stretch
From: Steve McIntyre <steve@einval.com>
Date: Mon, 4 Apr 2016 17:26:44 +0100
Message-id: <[🔎] 20160404162644.GE28926@einval.com>
In-reply-to: <[🔎] 8760w0lx1p.fsf@xoog.err.no>
References: <[🔎] 20160401133517.GC31407@einval.com> <[🔎] 8760w0lx1p.fsf@xoog.err.no>

On Sat, Apr 02, 2016 at 01:38:26AM +0200, Tollef Fog Heen wrote:
>]] Steve McIntyre 
>
>First of all, thanks for poking about this.  It's been moving forward,
>though slowly.
>
>> 1. Generate a key and an EV code-signing cert, submit to Microsoft
>> ==================================================================
>> 
>> This needs an RSA 2048 key. The process: we generate the key and the
>> self-signed certificate of the correct form, which is embedded in the
>> shim package that is then submitted to Microsoft. The signing request
>> requires obtaining an EV code-signing cert, and then this has to be
>> uploaded via Windows to Microsoft.
>> 
>> Tollef was organising an HSM (Yubikey $thing) to make this more
>> secure. Exact details on key management are yet TBD - we had
>> discussions about an N-of-M keyholder scheme similar-ish to what
>> Ubuntu do.
>
>The yubikeys have generously been sponsored by Yubico and we now have a
>small pile in franck.
>
>One of the keys in franck will include the day-to-day signing key and
>cert, we'll have that cert be issued by a CA which is kept offline.  The
>cert of the offline CA is what we'll embed in shim.
>
>In addition, I'll generate a key and get an EV code signing cert issued.
>The DPL authorised that expenditure a little while ago.

OK, excellent. Please keep us updated.

...

>> 4. Updates for other core packages to add signed versions
>> =========================================================
>> 
>> Once we have our key ready and dak support added, we'll be able to
>> upload things and get them signed automatically to create $foo-signed
>> packages. Expected packages here:
>> 
>>  * grub2
>>  * linux
>>  * fwupdate
>>  * ???
>
>I'd love to see SB support in ipxe too, but that probably requires
>upstream changes.

Yup. I'm told that the main upstream developer lives in Cambridge,
even. I'll get in touch.

>> So, can we have updates on anything that people have achieved so far
>> please? Tollef told me that he's got somewhere with the Yubikey, so
>> hopefully we can get going using that base?
>
>I've poked at this tonight for a bit, but I keep running into trouble
>with pesign when trying to actually sign something, so while I could
>generate the certs and such today, I'd rather not until I have
>successfully signed something using a self-generated cert.

ACK!

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Managing a volunteer open source project is a lot like herding
 kittens, except the kittens randomly appear and disappear because they
 have day jobs." -- Matt Mackall

Reply to:

References:
- UEFI Secure Boot - the plan for stretch
  - From: Steve McIntyre <steve@einval.com>
- Re: UEFI Secure Boot - the plan for stretch
  - From: Tollef Fog Heen <tfheen@err.no>

Prev by Date: Re: Bug#803912: [PATCH] Follow partman-auto/disk to reuse the ESP. Closes: #803912
Next by Date: Re: UEFI Secure Boot - the plan for stretch
Previous by thread: Re: UEFI Secure Boot - the plan for stretch
Next by thread: Re: UEFI Secure Boot - the plan for stretch
Index(es):
- Date
- Thread