Re: last preparations for switching to production Secure Boot key

To: Ansgar <ansgar@debian.org>
Cc: debian-efi@lists.debian.org
Subject: Re: last preparations for switching to production Secure Boot key
From: Steve McIntyre <steve@einval.com>
Date: Fri, 8 Mar 2019 22:11:53 +0000
Message-id: <[🔎] 20190308221153.GF1651@tack.einval.com>
In-reply-to: <[🔎] 6b5d4fc48aa6912a89e8b3604d40d8e1813df345.camel@43-1.org>
References: <87zhqj65rh.fsf@43-1.org> <[🔎] 20190307031155.GA27225@tack.einval.com> <[🔎] 6b5d4fc48aa6912a89e8b3604d40d8e1813df345.camel@43-1.org>

On Thu, Mar 07, 2019 at 10:05:16AM +0100, Ansgar wrote:
>On Thu, 2019-03-07 at 03:11 +0000, Steve McIntyre wrote:
>> On Mon, Feb 25, 2019 at 08:13:22PM +0100, Ansgar wrote:
>> So, shim clearly will embed the Debian key so AFAICS we need to list
>> it in trusted_certs. Yes? Basically ready to upload with the
>> following (templated) json included:
>
>Which part of shim does embed the Debian key?  Is it only included in
>the part that Microsoft signs?
>
>I think trusted_certs is supposed to list keys that the binaries that
>Debian signs itself embeds?  Whatever Microsoft signs is not affected
>by our regular signing infrastracture after all.

Ah, yes. I was mis-reading the text in the wiki page late Wed
night. Neither fbXXX.efi.signed nor mmXXX.efi.signed embed keys to
further authenticate stuff. They're just themselves signed for use
from the UEFI environment.

Fixed and committed into shim.git now.

>> Could all maintainers (for fwupd, fwupdate, grub2, linux) please
>> > ack one
>> > last time that their packages are ready for switching to the production
>> > key?  And prepare an upload with the changes described above and ready
>> > to use the production key?
>> 
>> There's a new (minor) improvement here. We're now changing the shim
>> build process so we'll also need to add shim-helpers-*-template as
>> extra targets for the signing service. We've removed the ephemeral
>> key that used to be used for signing fbXXX.efi and mmXXX.efi, and
>> instead we're going to be submitting those for proper signing. This
>> will significantly improve the reproducibility of the shim binary,
>> which I think we all agree is a good thing! :-)
>
>Submit them to signing by the Debian key?  Please tell me the names of
>the template packages before you upload them then so I can update the
>dak configuration[1].
>
>  [1] https://salsa.debian.org/ftp-team/dak/blob/master/config/debian/external-signatures.conf

Yup, they'll want signing with the Debian key too. Update in the MR at

  https://salsa.debian.org/ftp-team/dak/merge_requests/114

>> I'll go and tweak fwupd and fwupdate next, to change their json
>> signing information. Just like with grub, I think they need an empty
>> "trusted_certs" array as they don't do any signature validation
>> themselves. Yes?
>
>Yes.  That should be correct.

Cool.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I've only once written 'SQL is my bitch' in a comment. But that code 
 is in use on a military site..." -- Simon Booth

Reply to:

References:
- Re: last preparations for switching to production Secure Boot key
  - From: Steve McIntyre <steve@einval.com>
- Re: last preparations for switching to production Secure Boot key
  - From: Ansgar <ansgar@debian.org>

Prev by Date: Re: last preparations for switching to production Secure Boot key
Next by Date: Updated fwupd and fwupdate repos wrt the JSON signing setup
Previous by thread: Re: last preparations for switching to production Secure Boot key
Next by thread: Re: last preparations for switching to production Secure Boot key
Index(es):
- Date
- Thread