Re: text for SB in release notes

To: Steve McIntyre <steve@einval.com>, Cyril Brulebois <kibi@debian.org>
Cc: debian-efi@lists.debian.org
Subject: Re: text for SB in release notes
From: Philipp Hahn <pmhahn@pmhahn.de>
Date: Tue, 12 Feb 2019 09:00:07 +0100
Message-id: <[🔎] 0ea5b049-4377-59ca-24ab-b9663358cfb6@pmhahn.de>
In-reply-to: <20190129193456.dxrewb75lfp2eblo@tack.einval.com>
References: <20190129193456.dxrewb75lfp2eblo@tack.einval.com>

Hi Steve,

> [ debian-efi folks - please correct/enhance this text as you see fit,
>   but do it ASAP as we want to announce this latest d-i release
>   shortly. ]

Looks fine from my point of view.
One minor nit: The GRUB folks call themselves "GRUB" (all upper case),
but you use "Grub" and "grub". Maybe unify that?

> As promised, here's some text for the d-i release notes. The following
> is quite long, but I think it needs to be to explain what we're doing
> and where we're up to.
> 
> UEFI Secure Boot in Debian - signed packages and verification
> =============================================================
> 
> The Buster d-i alpha 5 release includes some *initial* support for
> UEFI Secure Boot (SB) in Debian's installation media.
> 
>  *** This support is NOT yet complete ***
> 
> On amd64 machines, by default the Debian installer will now boot (and
> install) a signed version of the "shim" package as the first stage
> boot loader. Shim is the core package in a signed Linux boot chain on
> Intel-compatible PCs. It is responsible for validating signatures on
> further pieces of the boot process (Grub and the Linux kernel),
                                      ^^^^ GRUB
> allowing for verification of those pieces. Each of those pieces will
> be signed by a Debian "production" signing key that is baked into the
> shim binary itself.
> 
> However, for safety during the development phase of Debian's SB
> support, we have only been using a temporary test key to sign our Grub
                                                                    ^^^^
> and Linux packages. If we made a mistake with key management or trust
> path verification during this development, this would save us from
> having to revoke the production key. We plan on switching to the
> production key soon.
> 
> Due to the use of the test key so far, out of the box Debian will
> *not* yet install or run with SB enabled; Shim will not validate
> signatures with the test key and will stop, reporting the
> problem. This is correct and useful behaviour!
> 
> Thus far, Debian users have needed to disable SB before installation
> to make things work. From now on, with SB disabled, installation and
                                           ^ +still+
> use should work just the same as previously. Shim simply chain-loads
> grub and continues through the boot chain without checking signatures.
  ^^^^
> 
> It is possible to enrol more keys on a SB system so that shim will
> recognise and allow other signatures, and this is how we have been
> able to test the rest of the boot chain. We now invite more users to
> give us valuable test coverage on a wider variety of hardware by
> enrolling our Debian test key and running with SB enabled.
> 
> *If you want to help us test our Secure Boot support*, please follow
> the instructions in the Debian wiki:
> 
>    https://wiki.debian.org/SecureBoot/Testing
> 
> and provide feedback.
> 
> With help from users, we expect to be able to ship fully-working and
> tested UEFI Secure Boot in an upcoming Debian Installer release and in
> the main Buster release itself.
> 

Thank you for writing this.
Philip

Reply to:

Follow-Ups:
- Re: text for SB in release notes
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Re: Updating shim for buster
Next by Date: Re: Updating shim for buster
Previous by thread: libxmlb_0.1.6-2_source.changes ACCEPTED into unstable
Next by thread: Re: text for SB in release notes
Index(es):
- Date
- Thread