Re: UEFI Secure Boot - the plan for stretch

[Tollef Fog Heen <tfheen@err.no>]

]] Steve McIntyre 

> This needs an RSA 2048 key. The process: we generate the key and the
> self-signed certificate of the correct form, which is embedded in the
> shim package that is then submitted to Microsoft. The signing request
> requires obtaining an EV code-signing cert, and then this has to be
> uploaded via Windows to Microsoft.
> 
> Tollef was organising an HSM (Yubikey $thing) to make this more
> secure. Exact details on key management are yet TBD - we had
> discussions about an N-of-M keyholder scheme similar-ish to what
> Ubuntu do.

I've now gotten to the point of actually being able to sign binaries,
with the key stored on a yubikey, so that's pretty promising.

I ran out of steam after this, so I haven't actually tested it, but it
sure looks promising:

$ pesign -S -i signed.efi
---------------------------------------------
certificate address is 0x7f52e4841808
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Debian Test Secure Boot Signer 2
No signer email address.
Signing time: Tue Apr 19, 2016
There were certs or crls included.
---------------------------------------------

I'm going to see if I can make this work correctly over the next couple
of days, and assuming it works fine, other folks should be unblocked
quickly.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are