Re: last preparations for switching to production Secure Boot key

To: debian-efi@lists.debian.org
Cc: Ansgar Burchardt <ansgar@debian.org>
Subject: Re: last preparations for switching to production Secure Boot key
From: Steve McIntyre <steve@einval.com>
Date: Thu, 7 Mar 2019 03:11:55 +0000
Message-id: <[🔎] 20190307031155.GA27225@tack.einval.com>
In-reply-to: <87zhqj65rh.fsf@43-1.org>
References: <87zhqj65rh.fsf@43-1.org>

Hi Ansgar,

Just preparing the last changes that I think we need for *shim* before
we get a new set of binaries signed.

On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote:
>
>I added support for listing `trusted_certs`[1] as proposed by Ben
>Hutchings.  This means the `files.json` structure *must* list the
>sha256sum of certificates the signed binaries will trust (this can be an
>empty list in case no hard-coded certificates are trusted).
>
>I would like to implement one additional change.  Currently files.json
>looks like this:
>
>```json
>{
>    "linux-object": {
>        "trusted_certs": ["4e5e7bfe18206d3648aed66fbafda1381bbb2687a530ae6d989b64fee6efd760"],
>        "files": [
>            {"sig_type": "linux-module", "file": "usr/lib/linux-object/dummy.ko"}
>        ]
>    }
>}
>```
>
>This is not extendable; therefore I would like to move everything below a
>top-level `packages` key, i.e. the file would look like this instead:
>
>```json
>{
>    "packages": {
>        "linux-object": {
>            "trusted_certs": ["4e5e7bfe18206d3648aed66fbafda1381bbb2687a530ae6d989b64fee6efd760"],
>            "files": [
>                {"sig_type": "linux-module", "file": "usr/lib/linux-object/dummy.ko"}
>            ]
>        }
>    }
>}
>```

So, shim clearly will embed the Debian key so AFAICS we need to list
thit in trusted_certs. Yes? Basically ready to upload with the
following (templated) json included:

{
    "packages": {
        "shim-unsigned": {
            "trusted_certs": ["079646974bce09b1f04da67bd722d1fb0947ae4c4010bccdbba52d5b23cbf1a2"],
            "files": [
                {"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
                {"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
            ]
        }
    }
}

>This would allow adding additional top-level keys later should the need
>arise.  (I'll prepare the archive-side changes for this later today.)

Cool.

>Could all maintainers (for fwupd, fwupdate, grub2, linux) please ack one
>last time that their packages are ready for switching to the production
>key?  And prepare an upload with the changes described above and ready
>to use the production key?

There's a new (minor) improvement here. We're now changing the shim
build process so we'll also need to add shim-helpers-*-template as
extra targets for the signing service. We've removed the ephemeral
key that used to be used for signing fbXXX.efi and mmXXX.efi, and
instead we're going to be submitting those for proper signing. This
will significantly improve the reproducibility of the shim binary,
which I think we all agree is a good thing! :-)

I'll go and tweak fwupd and fwupdate next, to change their json
signing information. Just like with grub, I think they need an empty
"trusted_certs" array as they don't do any signature validation
themselves. Yes?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Who needs computer imagery when you've got Brian Blessed?

Reply to:

Follow-Ups:
- Re: last preparations for switching to production Secure Boot key
  - From: Ansgar <ansgar@debian.org>

Prev by Date: Re: Problems with shim and shim-signed in unstable, and proposed solutions to unblock us
Next by Date: Re: last preparations for switching to production Secure Boot key
Previous by thread: shim updates - where are we for Buster?
Next by thread: Re: last preparations for switching to production Secure Boot key
Index(es):
- Date
- Thread