[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Slides for presentation at DebConf (request for help)

Hello Helen, helle Steve L,

I just returned today to work after vacations, so sorry for the late reply.

Am 20.07.2018 um 01:18 schrieb Helen Koike:
> I started the slides for DebConf presentation.
> 	https://salsa.debian.org/koike-guest/sb-debconf2018-slides
> Philipp: Could you add the state of shim and its boot service please?

@Steve: Can you please have a look at my tree
<https://salsa.debian.org/pmhahn/shim/tree/signing>. Debian still seems
to have the very old version 0.9 and lists a LP:bzr URL as the source
repository, which makes it some home more complicated to contribute.
>From my personal experience to get SHIM signed by Microsoft I started
with version "14", which is the current "latest-release".

At the Secure-Boot-Sprint in Fulda past May we expressed to have SHIM
reproducible. Therefore the ephemeral key embedded inside SHIM and used
to sign MM and FB needs to be disabled. Instead MM and FB need to get
signed by the static "Debian Secure Boot CA" key embedded inside SHIM
anyway. For this to happen the unsigned binaries need to be sent to the
Debian UEFI signing service, which needs some template files. My GIT
tree includes all those changes in the last 6 patches.

I have successfully tested that version on amd64 by singing the binary
with my own keys loaded into my QEMU setup: A signed Linux kernel gets
loaded. (If I remember correctly I was also able to load MM and FB then
signed by my equivalent of a self-generated "Debian Secure Boot CA"

I'd like you to pick those changes up and to release a new version of SHIM.
After that (and some more testing) the main SHIM binary needs to get
signed by Microsoft.

If you prefer some other work-flow, please just ask.

> Someone: grub current state?

Collin merged Lucas and my patch-set yesterday and seems to be busy
fixing some test failures:
So I expect a new version to be releases shortly.

Depending on the state of the Signing-Box we also should see signed
binaries, too ;-)

> We can also sync during DebConf

Sorry, I did not make it to DebConf this year.


Reply to: