Re: text for SB in release notes
Hi Steve,
> [ debian-efi folks - please correct/enhance this text as you see fit,
> but do it ASAP as we want to announce this latest d-i release
> shortly. ]
Looks fine from my point of view.
One minor nit: The GRUB folks call themselves "GRUB" (all upper case),
but you use "Grub" and "grub". Maybe unify that?
> As promised, here's some text for the d-i release notes. The following
> is quite long, but I think it needs to be to explain what we're doing
> and where we're up to.
>
> UEFI Secure Boot in Debian - signed packages and verification
> =============================================================
>
> The Buster d-i alpha 5 release includes some *initial* support for
> UEFI Secure Boot (SB) in Debian's installation media.
>
> *** This support is NOT yet complete ***
>
> On amd64 machines, by default the Debian installer will now boot (and
> install) a signed version of the "shim" package as the first stage
> boot loader. Shim is the core package in a signed Linux boot chain on
> Intel-compatible PCs. It is responsible for validating signatures on
> further pieces of the boot process (Grub and the Linux kernel),
^^^^ GRUB
> allowing for verification of those pieces. Each of those pieces will
> be signed by a Debian "production" signing key that is baked into the
> shim binary itself.
>
> However, for safety during the development phase of Debian's SB
> support, we have only been using a temporary test key to sign our Grub
^^^^
> and Linux packages. If we made a mistake with key management or trust
> path verification during this development, this would save us from
> having to revoke the production key. We plan on switching to the
> production key soon.
>
> Due to the use of the test key so far, out of the box Debian will
> *not* yet install or run with SB enabled; Shim will not validate
> signatures with the test key and will stop, reporting the
> problem. This is correct and useful behaviour!
>
> Thus far, Debian users have needed to disable SB before installation
> to make things work. From now on, with SB disabled, installation and
^ +still+
> use should work just the same as previously. Shim simply chain-loads
> grub and continues through the boot chain without checking signatures.
^^^^
>
> It is possible to enrol more keys on a SB system so that shim will
> recognise and allow other signatures, and this is how we have been
> able to test the rest of the boot chain. We now invite more users to
> give us valuable test coverage on a wider variety of hardware by
> enrolling our Debian test key and running with SB enabled.
>
> *If you want to help us test our Secure Boot support*, please follow
> the instructions in the Debian wiki:
>
> https://wiki.debian.org/SecureBoot/Testing
>
> and provide feedback.
>
> With help from users, we expect to be able to ship fully-working and
> tested UEFI Secure Boot in an upcoming Debian Installer release and in
> the main Buster release itself.
>
Thank you for writing this.
Philip
Reply to: