Re: Please review changes for the Debian shim -7 upload

To: dann frazier <dannf@dannf.org>
Cc: debian-efi@lists.debian.org, Dann Frazier <dann.frazier@canonical.com>, ard.biesheuvel@linaro.org
Subject: Re: Please review changes for the Debian shim -7 upload
From: Steve McIntyre <steve@einval.com>
Date: Tue, 7 May 2019 11:11:56 +0100
Message-id: <[🔎] 20190507101150.GF4136@tack.einval.com>
In-reply-to: <[🔎] CAH9yRn8HBGETSycF7RRAr+XbCTJeC0Xwo9O0wFXHqjz-XaeaGA@mail.gmail.com>
References: <[🔎] 20190506122419.GE4136@tack.einval.com> <[🔎] CAH9yRn8HBGETSycF7RRAr+XbCTJeC0Xwo9O0wFXHqjz-XaeaGA@mail.gmail.com>

On Mon, May 06, 2019 at 02:31:51PM -0600, dann frazier wrote:
>On Mon, May 6, 2019 at 6:25 AM Steve McIntyre <steve@einval.com> wrote:
>>
>> In particular, please check my logic in the dbx file creation. I've
>> tested this using a local VM set up with secure boot enabldd and test
>> keys in the firmware, and it looked to work ok.
>>
>> Please review/test as soon as you can - I don't want this to be
>> blocking the Buster release.
>
>Nice work Steve! I don't have any feedback on the overall logic, but I
>did have some take-or-leave suggestions for the packaging, mostly
>around making the dbx list generation more robust. See:
>  https://salsa.debian.org/dannf/shim/tree/dbx-hash-cleanup
>
>The "set -e" thing is the only one I'd strongly push for.

Ooh, thanks for those. I was going to say "I like all of your
suggestions, except..." but I've just followed your changes through
and it all looks cool. :-) Merged!

We'd also need to add an empty (except comments) DBX_HASHES file for
the Ubuntu build, I guess. I'm doing that now too.

>One other thing - is there is a way to sanity check dbx.esl from the
>command line? If so, I'd suggest adding that test to the $(DBX_LIST)
>target, so that a misbehaving efisiglist fails the build. That should
>also avoid the need to version the build-dep on pesign.

It took me a while to find the issues in efisiglist, and I had a patch
ready to go. Then I found that Gary Lin had already fixed it upstream
in *exactly* the same way! Without writing another tool very similar
to pesign, it's difficult to validate its output. :-/ I ended up
printing a hexdump and using pencil and paper to work things out!

Thanks for the review and suggestions - for a key piece like this, I'm
much happier if other people's eyes have checked my work. :-)

I'll upload later.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Reply to:

References:
- Please review changes for the Debian shim -7 upload
  - From: Steve McIntyre <steve@einval.com>
- Re: Please review changes for the Debian shim -7 upload
  - From: dann frazier <dannf@dannf.org>

Prev by Date: Re: Please review changes for the Debian shim -7 upload
Next by Date: Submitted Bof session for DebConf19
Previous by thread: Re: Please review changes for the Debian shim -7 upload
Next by thread: Submitted Bof session for DebConf19
Index(es):
- Date
- Thread