shim updates - where are we for Buster?

To: debian-efi@lists.debian.org
Subject: shim updates - where are we for Buster?
From: Steve McIntyre <steve@einval.com>
Date: Wed, 6 Mar 2019 23:16:47 +0000
Message-id: <[🔎] 20190306231647.GZ1651@tack.einval.com>

Hi folks,

Time for an update on shim, I think!

As I've just mentioned separataly, I've uploaded an NMU of shim-signed
to unstable this evening to unblock d-i etc. That will give us a
working fallback for SB in case we *don't* get our new shim signed and
returned in time.

I've merged the changes from Philipp and Luca (thanks for the work
guys!) onto HEAD of our shim repo, and added a few obvious tweaks on
top:

d71a71f Change maintenance address to be the EFI team
739950c Typo fix: s,singing,signing,g

In terms of packaging, I'd like to make one more tweak. I'm thinking
about the confusing package names we're about to generate:

  source             binaries
  ======             ========
  shim               shim-unsigned
                     shim-$arch-signed-template
                     (signing-service add sigs and generates shim-$arch-signed)

  shim-$arch-signed  shim-$arch-signed
                     (combining Debian sigs with helper binaries from shim-unsigned)

  ALSO:

  shim-signed        shim-signed
                     (combining MS sigs with binaries from shim-unsigned)

I don't like the fact that the shim-$arch-signed packages don't
contain an actual shim binary, just the fbXXX.efi.signed and
mmXXX.efi.signed helper binaries. I think it *will* confuse people. So
I've prepared a branch and MR to change the package names to:

  source                     binaries
  ======                     ========
  shim                       shim-unsigned
                             shim-helpers-$arch-signed-template
                             (signing-service add sigs and generates
                              shim-helpers-$arch-signed)

  shim-helpers-$arch-signed  shim-$arch-signed
                             (combining Debian sigs with helper
                              binaries from shim-unsigned)

  ALSO:

  shim-signed        shim-signed
                     (combining MS sigs with binaries from shim-unsigned)

If you think this is a sensible thing to do, please review and merge

  https://salsa.debian.org/efi-team/shim/merge_requests/2

I think the last 3 things we need to do are:

 1. update the json in the -template packages to match what Ansgar
    wants (to add a new top-level "packages" key). Easy!

 2. add the "trusted_certs" entry for the Debian key in the json. Also
    easy!

 3. FINALLY: test for reproducibility of the shimXXX.efi binary and
    push to MS for review and signing. Tollef and I already worked on
    this a little tonight. Once the other changes are done, I think we
    should be in a good state for submission in the next few days.

What else am I missing here? Please shout... :-)

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Because heaters aren't purple!" -- Catherine Pitt

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
Next by Date: Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
Previous by thread: Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
Next by thread: Re: last preparations for switching to production Secure Boot key
Index(es):
- Date
- Thread