Re: Debian Signed shim and grub images source code request
]] adrian15sgd
Hi,
If you're not already familiar with how Debian packages work, I would
recommend you read https://wiki.debian.org/DebianDevelopment, including
the developers reference and policy linked to from there.
> 4) So... my question is...
>
> How do I get the source code for:
> - The Debian Secure Boot signed shim binary
> - The Debian Secure Boot signed grub binary
The easiest way is to just do apt-get source shim-signed and apt-get
source grub-efi-amd64-signed in a running Debian system.
[...]
> Shouldn't I have every software involved on this build?
Sure, follow the build-dependencies listed in debian/control inside the
source package.
> Shouldn't I have every software that I need to install in an empty
> machine to make this build?
That's called installing Debian. You _could_ do this using a live
Debian image to build. I would not recommend doing that, as I think
you'll end up with a lot of extra work that work.
[...]
> In addition to this I think I need the source code of the tools that
> you use for:
> - Creating your CA
There aren't any tools as such, it was done by running certutil by
hand. https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO#Your_CA has
some steps that look quite reasonable.
> - Creating CSR so that Microsoft signs your certificate
It's done using a tool from digicert, called by hand.
> - Sign shim with your CA (or maybe this is signed by Microsoft itself).
It is signed by MS.
> - Sign grub with your CA
https://wiki.debian.org/SecureBoot/Discussion talks about the design for
the signing machinery. While you could run it yourself, it's probably
overkill for a small operation.
> I mean, all of these tools that in some extent contribute to the
> signed shim and grub binaries.
shim and grub are quite separate. We sign grub ourselves, so that's
more resembling a normal-ish build. Shim is uploaded to MS with a code
signing signature and we get a signed version back where we then
reattach that signature as part of the build process for shim-signed.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: