Re: Debian Signed shim and grub images source code request

To: adrian15sgd <adrian15sgd@gmail.com>
Cc: debian-efi@lists.debian.org
Subject: Re: Debian Signed shim and grub images source code request
From: Tollef Fog Heen <tfheen@err.no>
Date: Tue, 26 Jul 2022 22:10:07 +0200
Message-id: <[🔎] 87sfmny6sg.fsf@err.no>
Mail-followup-to: debian-efi@lists.debian.org
In-reply-to: <[🔎] 13f3ec6d-4e9f-eec3-2856-be1b44a04e43@gmail.com> (adrian15sgd@gmail.com's message of "Tue, 26 Jul 2022 01:39:38 +0200")
References: <[🔎] 13f3ec6d-4e9f-eec3-2856-be1b44a04e43@gmail.com>

]] adrian15sgd 

Hi,

If you're not already familiar with how Debian packages work, I would
recommend you read https://wiki.debian.org/DebianDevelopment, including
the developers reference and policy linked to from there.

> 4) So... my question is...
> 
> How do I get the source code for:
> - The Debian Secure Boot signed shim binary
> - The Debian Secure Boot signed grub binary

The easiest way is to just do apt-get source shim-signed and apt-get
source grub-efi-amd64-signed in a running Debian system.

[...]

> Shouldn't I have every software involved on this build?

Sure, follow the build-dependencies listed in debian/control inside the
source package.

> Shouldn't I have every software that I need to install in an empty
> machine to make this build?

That's called installing Debian.  You _could_ do this using a live
Debian image to build. I would not recommend doing that, as I think
you'll end up with a lot of extra work that work.

[...]

> In addition to this I think I need the source code of the tools that
> you use for:
> - Creating your CA

There aren't any tools as such, it was done by running certutil by
hand.  https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO#Your_CA has
some steps that look quite reasonable.

> - Creating CSR so that Microsoft signs your certificate

It's done using a tool from digicert, called by hand.

> - Sign shim with your CA (or maybe this is signed by Microsoft itself).

It is signed by MS.

> - Sign grub with your CA

https://wiki.debian.org/SecureBoot/Discussion talks about the design for
the signing machinery.  While you could run it yourself, it's probably
overkill for a small operation.

> I mean, all of these tools that in some extent contribute to the
> signed shim and grub binaries.

shim and grub are quite separate.  We sign grub ourselves, so that's
more resembling a normal-ish build.  Shim is uploaded to MS with a code
signing signature and we get a signed version back where we then
reattach that signature as part of the build process for shim-signed.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

References:
- Debian Signed shim and grub images source code request
  - From: adrian15sgd <adrian15sgd@gmail.com>

Prev by Date: Debian Signed shim and grub images source code request
Next by Date: Processing of mokutil_0.6.0-2~deb10u1_source.changes
Previous by thread: Debian Signed shim and grub images source code request
Next by thread: Processing of mokutil_0.6.0-2~deb10u1_source.changes
Index(es):
- Date
- Thread