Re: Where are we with SB? What's missing?

To: Ansgar Burchardt <ansgar@43-1.org>
Cc: Ben Hutchings <ben@decadent.org.uk>, Bastian Blank <waldi@debian.org>, debian-efi@lists.debian.org, Luke Faraone <lfaraone@debian.org>
Subject: Re: Where are we with SB? What's missing?
From: Steve McIntyre <steve@einval.com>
Date: Tue, 4 Dec 2018 23:42:52 +0000
Message-id: <[🔎] 20181204234252.7ti4f46x2tk4aqlu@tack.einval.com>
In-reply-to: <[🔎] 87r2exkp5u.fsf@marvin.43-1.org>
References: <20181005180116.v6knu3y4dwhm6iuu@tack.einval.com> <77c954bc179c19dd5ddf8a51221196c3bd0e0896.camel@43-1.org> <20181011155848.4ikpjtiwqe2wqljj@tack.einval.com> <f70a98b80381669af9987ac26e5002fdf5c04442.camel@decadent.org.uk> <20181030012654.tgitf2zjiq6dw6qr@tack.einval.com> <2e45405ab75256fe146ffd0c7596dc2cac3652f8.camel@decadent.org.uk> <20181127195016.yhr432bpmbtyvti6@shell.thinkmo.de> <[🔎] 20181204023808.c76sbjw5nwalovlw@tack.einval.com> <[🔎] 87r2exkp5u.fsf@marvin.43-1.org>

On Tue, Dec 04, 2018 at 09:33:33PM +0100, Ansgar Burchardt wrote:
>Steve McIntyre writes:
>> On Tue, Nov 27, 2018 at 08:50:16PM +0100, Bastian Blank wrote:
>>>On Wed, Oct 31, 2018 at 03:39:01AM +0000, Ben Hutchings wrote:
>>>> > OK. What's needed? Is this a blocker for us pre-Buster?
>>>> No, it's not a blocker.
>>>
>>>So we don't have any blockers.  What do we need to do for switching to
>>>the production key?
>>
>> AFAICS now we need ftpmaster to turn this on. Luke/Ansgar - can we get
>> an ETA please? Buster freeze is getting awfully close...
>
>I think I have to give up on getting the secure boot service to run
>properly unattended before that; but that can still happen later.
>People might have to ping ftp-master when something needs to be signed
>for a while.

While it's clearly not where we want to be, that sounds like a fair
short-term plan, I think.

>Do any packages we sign (fwupd, fwupdate, grub2, linux) have hardcoded
>keys they trust?  linux has one (the trusted key for signing modules).
>Are there any other keys that need to be switched for production?

Mario has already answered for fwupd and fwupdate. Linux is complex,
and Ben is the expert there. I'm reasonably happy about grub2.

>Have we tested that grub2 and linux do not allow loading unsigned
>kernels / modules? (AFAIK yes, but let's make sure.)

It's definitely worth making sure, yes.

>Do fwupd, fwupdate have anything we need to test?  Do they allow loading
>extensions or anything else that allows running arbitrary code?
>
>Anything else we need to check?

I'd like to test the whole thing end-to-end and validate at each step,
ideally, using real machines. I've not had a chance to do that yet,
and I feel bad about that. :-/

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I suspect most samba developers are already technically insane... Of
 course, since many of them are Australians, you can't tell." -- Linus Torvalds

Reply to:

Follow-Ups:
- Re: Where are we with SB? What's missing?
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: Re: Where are we with SB? What's missing?
  - From: Hideki Yamane <henrich@iijmio-mail.jp>

References:
- Re: Where are we with SB? What's missing?
  - From: Steve McIntyre <steve@einval.com>
- Re: Where are we with SB? What's missing?
  - From: Ansgar Burchardt <ansgar@43-1.org>

Prev by Date: RE: Where are we with SB? What's missing?
Next by Date: Re: Where are we with SB? What's missing?
Previous by thread: RE: Where are we with SB? What's missing?
Next by thread: Re: Where are we with SB? What's missing?
Index(es):
- Date
- Thread