Re: Secure boot signing infrastructure - feedback request

To: Helen Koike <helen.koike@collabora.com>, debian-efi@lists.debian.org, ftpmaster@debian.org, debian-admin@lists.debian.org, pkg-grub-devel@lists.alioth.debian.org, debian-kernel@lists.debian.org
Subject: Re: Secure boot signing infrastructure - feedback request
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 09 Oct 2017 14:01:15 +0100
Message-id: <[🔎] 1507554075.2677.123.camel@decadent.org.uk>
In-reply-to: <[🔎] 0fe944fb-1dd5-c257-04ee-683f3245c261@collabora.com>
References: <[🔎] 0fe944fb-1dd5-c257-04ee-683f3245c261@collabora.com>

On Thu, 2017-10-05 at 14:57 -0300, Helen Koike wrote:
> Hello all,
> 
> As you probably already know, Debian doesn't support the Secure Boot
> chain yet.
> To support it we need to sign Grub and the Kernel with our key, so we
> are discussing the best infrastructure for this workflow.
> 
> The first approach we had was to add a by-hand script in Dak as
> described here
> https://wiki.debian.org/SecureBoot#First_option:_by-hand_script_in_dak
> But this option wasn't well received by the ftpteam

I would like to know what the objection was.

> The second approach we have is to add some debhelper scripts (e.g
> dh_sign...) that will access a signing service which will sign the
> binaries with Debian's key.  We would use the dh_sign... helpers when
> making an extra binary package. buildd would then publish the -signed
> version of the package in the archives.
> Please see a more detailed explanation here
> https://wiki.debian.org/SecureBoot#Second_option:_use_buildd_.2B-_debhelper_instead_of_dak
> A current known issue with this approach is the NEW queue: it requires
> the maintainer to also upload binaries for an architecture on first
> upload, and these binaries are not rebuilt by the buildd ( see
> https://wiki.debian.org/SecureBoot#Issues ).

It also makes all these packages unreproducible, which is a policy
violation.

It also appears to mean that buildds can get anything signed on demand
with no human intervention at all, without all the checks that dak does
on uploads.  This seems to be to substantially raise the risk of
signing evil code and needing to revoke those signatures (or the
signing key).

Plus the reliability issues you pointed out on the wiki.

> I would like to know everyone's opinions about these approaches, if you
> agree to go forward with the second approach described above and how do
> we solve the NEW queue policy issue.

So far as I can see, the second approach is difficult, risky,
unreliable and leads to policy violations.

On the other side... there is an FTP team objection with no documented
explanation.

Ben.

-- 
Ben Hutchings
Humour is the best antidote to reality.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: Secure boot signing infrastructure - feedback request
  - From: Steve McIntyre <steve@einval.com>

References:
- Secure boot signing infrastructure - feedback request
  - From: Helen Koike <helen.koike@collabora.com>

Prev by Date: Re: Secure boot signing infrastructure - feedback request
Next by Date: Bug#877991: fwupd: Missing call to dh_systemd
Previous by thread: Re: Secure boot signing infrastructure - feedback request
Next by thread: Re: Secure boot signing infrastructure - feedback request
Index(es):
- Date
- Thread