Re: shim: unreproducible build due to embedded ephemeral certificate

To: 922228@bugs.debian.org
Cc: debian-efi@lists.debian.org
Subject: Re: shim: unreproducible build due to embedded ephemeral certificate
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 15 Feb 2019 21:56:38 +0000
Message-id: <[🔎] 1550267798.12392.1.camel@debian.org>
In-reply-to: <[🔎] 1550062389.4818.14.camel@debian.org>
References: <[🔎] 1550062389.4818.14.camel@debian.org>

Control: tags -1 patch

On Wed, 13 Feb 2019 12:53:09 +0000 Luca Boccassi <bluca@debian.org>
wrote:
> Dear Mantainer,
> 
> As requested on debian-efi, opening a bug trying to collate all
> information and rationale with regards to using the Debian key to
sign
> MoK and FB.
> 
> The debian-efi developers and collaborators, as discussed during the
> secure boot sprint [1], would like the things we (Debian) sign to be
> reproducible so anybody can make sure that nobody (including Debian)
> sneaked in any changes.
> Albeit the shim binary gets signed by Microsoft (and not by Debian)
the
> same logic should apply to it: We want to make sure that nothing got
> changed in shim by anybody.
> 
> Although a run of diffoscope would show that the only things changing
> are the ephemeral embedded key (and the host kernel version), this is
a
> manual step that would not be easily accessible to non-tech-savvy
> users. Having reproducibility "just work" by default means that the
CI
> can take care of it, and notice regressions automatically.
> 
> The Debian key, other than for fwupdate, kernel image and GRUB, is
> already used to also sign all the Linux kernel modules, which are
~3.4k
> for linux-image-4.9.0-8-amd64, multiplied by our number of
> architectures and sub-architectures. So, using it for MoK and FB as
> well doesn't seem to add much more exposure, in the grand scheme of
> things.
> 
> The work to make src:shim use the Debian signing infrastructure was
> already done last year by Philipp, and is available on Salsa [2].
> 
> In case it can help to share the workload, I will try to do some work
> later today to cherry-pick those commits and send an MR on Salsa for
> the latest version.
> 
> Thank you for your work on Shim!
> 
> -- 
> Kind regards,
> Luca Boccassi
> 
> [1] https://etherpad.wikimedia.org/p/debian-secure-boot-2018
> [2] https://salsa.debian.org/pmhahn/shim

Dear Maintainer,

I have opened an MR on Salsa which ports the changes from Philipp and
adds another patch to avoid using uname during the build:

https://salsa.debian.org/vorlon/shim/merge_requests/1

I have tested this on sid-amd64 and it seems to work as intended.

Thanks!

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#922228: shim: unreproducible build due to embedded ephemeral certificate
  - From: Luca Boccassi <bluca@debian.org>

Prev by Date: fwupd_1.2.4-3_amd64.changes ACCEPTED into unstable
Next by Date: Processing of fwupd-i386-signed_1.2.4+3_source.changes
Previous by thread: Bug#922228: shim: unreproducible build due to embedded ephemeral certificate
Next by thread: Bug#922331: fwupd: autopkgtest regression: Error calling StartServiceByName for org.freedesktop.fwupd: Timeout was reached
Index(es):
- Date
- Thread