Bug#920014: Move forward on this

To: <920014@bugs.debian.org>
Cc: Luca Boccassi <bluca@debian.org>
Subject: Bug#920014: Move forward on this
From: Perez Yves-Alexis <yves-alexis.perez@ssi.gouv.fr>
Date: Fri, 20 Dec 2019 15:35:28 +0100
Message-id: <[🔎] c6f068d8-ac36-621c-8476-e89abc9f58dd@ssi.gouv.fr>
Reply-to: Perez Yves-Alexis <yves-alexis.perez@ssi.gouv.fr>, 920014@bugs.debian.org
References: <1548085504.8759.10.camel@debian.org>

Hi,

could someone from the EFI team review the MR from Luca?

At ANSSI we are testing hardware acquired for the French administration
for various security requirements [1], one of them beeing that the
secure boot key should be updatable.

We test this requirement by generating a small PKI and a USB key based
on various efitools/sbsigntool binaries [2].

The efitools version currently in Debian has a bug which prevents
updating the platform key on some implementation (for example some
Lenovo ThinkPads with AMD processors [3]). The bug is fixed in 1.9.0+ so
it'd be really nice to include it in Debian (for our use case, but more
generally for all people wanting to update the PK in their machine).

Thanks in advance!

[1]
https://www.ssi.gouv.fr/en/guide/hardware-security-requirements-for-x86-platforms/
[2] https://github.com/ANSSI-FR/chipsec-check/tree/master/tools
[3]
https://forums.lenovo.com/t5/ThinkPad-11e-Windows-13-E-and/Cannot-install-custom-secure-boot-PK-platform-key/td-p/4318378
[4]
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/commit/?id=e57bafc268511ad54598627b663a7ae86bd856f5
--
Yves-Alexis Perez
ANSSI/SDE/ST/LAM
Les données à caractère personnel recueillies et traitées dans le cadre de cet échange, le sont à seule fin d’exécution d’une relation professionnelle et s’opèrent dans cette seule finalité et pour la durée nécessaire à cette relation. Si vous souhaitez faire usage de vos droits de consultation, de rectification et de suppression de vos données, veuillez contacter contact.rgpd@sgdsn.gouv.fr. Si vous avez reçu ce message par erreur, nous vous remercions d’en informer l’expéditeur et de détruire le message. The personal data collected and processed during this exchange aims solely at completing a business relationship and is limited to the necessary duration of that relationship. If you wish to use your rights of consultation, rectification and deletion of your data, please contact: contact.rgpd@sgdsn.gouv.fr. If you have received this message in error, we thank you for informing the sender and destroying the message.

Reply to:

Follow-Ups:
- Bug#920014: Move forward on this
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: [bts-link] source package src:shim
Next by Date: Bug#920014: Move forward on this
Previous by thread: [bts-link] source package src:shim
Next by thread: Bug#920014: Move forward on this
Index(es):
- Date
- Thread