Re: UEFI Secure Boot - the plan for stretch
- To: Steve McIntyre <steve@einval.com>
- Cc: debian-efi@lists.debian.org, Colin Watson <cjwatson@debian.org>, micah anderson <micah@debian.org>, Steve Langasek <vorlon@debian.org>, Ben Hutchings <ben@decadent.org.uk>, pabs@debian.org, lfaraone@debian.org, debian-admin@lists.debian.org, ftpmaster@debian.org
- Subject: Re: UEFI Secure Boot - the plan for stretch
- From: Tollef Fog Heen <tfheen@err.no>
- Date: Tue, 19 Apr 2016 22:08:43 +0200
- Message-id: <[🔎] 87a8kpbbuc.fsf@xoog.err.no>
- Mail-followup-to: Steve McIntyre <steve@einval.com>, debian-efi@lists.debian.org, Colin Watson <cjwatson@debian.org>, micah anderson <micah@debian.org>, Steve Langasek <vorlon@debian.org>, Ben Hutchings <ben@decadent.org.uk>, pabs@debian.org, lfaraone@debian.org, debian-admin@lists.debian.org, ftpmaster@debian.org
- In-reply-to: <[🔎] 20160401133517.GC31407@einval.com> (Steve McIntyre's message of "Fri, 1 Apr 2016 14:35:17 +0100")
- References: <[🔎] 20160401133517.GC31407@einval.com>
]] Steve McIntyre
> This needs an RSA 2048 key. The process: we generate the key and the
> self-signed certificate of the correct form, which is embedded in the
> shim package that is then submitted to Microsoft. The signing request
> requires obtaining an EV code-signing cert, and then this has to be
> uploaded via Windows to Microsoft.
>
> Tollef was organising an HSM (Yubikey $thing) to make this more
> secure. Exact details on key management are yet TBD - we had
> discussions about an N-of-M keyholder scheme similar-ish to what
> Ubuntu do.
I've now gotten to the point of actually being able to sign binaries,
with the key stored on a yubikey, so that's pretty promising.
I ran out of steam after this, so I haven't actually tested it, but it
sure looks promising:
$ pesign -S -i signed.efi
---------------------------------------------
certificate address is 0x7f52e4841808
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Debian Test Secure Boot Signer 2
No signer email address.
Signing time: Tue Apr 19, 2016
There were certs or crls included.
---------------------------------------------
I'm going to see if I can make this work correctly over the next couple
of days, and assuming it works fine, other folks should be unblocked
quickly.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: