Re: UEFI Secure Boot - the plan for stretch
On Sat, Apr 02, 2016 at 01:38:26AM +0200, Tollef Fog Heen wrote:
>]] Steve McIntyre
>
>First of all, thanks for poking about this. It's been moving forward,
>though slowly.
>
>> 1. Generate a key and an EV code-signing cert, submit to Microsoft
>> ==================================================================
>>
>> This needs an RSA 2048 key. The process: we generate the key and the
>> self-signed certificate of the correct form, which is embedded in the
>> shim package that is then submitted to Microsoft. The signing request
>> requires obtaining an EV code-signing cert, and then this has to be
>> uploaded via Windows to Microsoft.
>>
>> Tollef was organising an HSM (Yubikey $thing) to make this more
>> secure. Exact details on key management are yet TBD - we had
>> discussions about an N-of-M keyholder scheme similar-ish to what
>> Ubuntu do.
>
>The yubikeys have generously been sponsored by Yubico and we now have a
>small pile in franck.
>
>One of the keys in franck will include the day-to-day signing key and
>cert, we'll have that cert be issued by a CA which is kept offline. The
>cert of the offline CA is what we'll embed in shim.
>
>In addition, I'll generate a key and get an EV code signing cert issued.
>The DPL authorised that expenditure a little while ago.
OK, excellent. Please keep us updated.
...
>> 4. Updates for other core packages to add signed versions
>> =========================================================
>>
>> Once we have our key ready and dak support added, we'll be able to
>> upload things and get them signed automatically to create $foo-signed
>> packages. Expected packages here:
>>
>> * grub2
>> * linux
>> * fwupdate
>> * ???
>
>I'd love to see SB support in ipxe too, but that probably requires
>upstream changes.
Yup. I'm told that the main upstream developer lives in Cambridge,
even. I'll get in touch.
>> So, can we have updates on anything that people have achieved so far
>> please? Tollef told me that he's got somewhere with the Yubikey, so
>> hopefully we can get going using that base?
>
>I've poked at this tonight for a bit, but I keep running into trouble
>with pesign when trying to actually sign something, so while I could
>generate the certs and such today, I'd rather not until I have
>successfully signed something using a self-generated cert.
ACK!
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Managing a volunteer open source project is a lot like herding
kittens, except the kittens randomly appear and disappear because they
have day jobs." -- Matt Mackall
Reply to: