Re: Debian Signed shim and grub images source code request
Sorry about the late reply.
Sorry about not being able to quote your email message properly. I think
that, even being subscribed to the mailing list, it went to the spam
folder back in the day and I wasn't able to recover it.
]] adrian15sgd
Hi,
If you're not already familiar with how Debian packages work, I would
recommend you readhttps://wiki.debian.org/DebianDevelopment, including
the developers reference and policy linked to from there.
Yeah, I'm quite familiar with Debian binary packages and Debian source
packages.
> 4) So... my question is...
>
> How do I get the source code for:
> - The Debian Secure Boot signed shim binary
> - The Debian Secure Boot signed grub binary
The easiest way is to just do apt-get source shim-signed and apt-get
source grub-efi-amd64-signed in a running Debian system.
Yes, that's usually the case with software that it's fetched from
upstream, I agree.
[...]
> Shouldn't I have every software involved on this build?
Sure, follow the build-dependencies listed in debian/control inside the
source package.
Yeah, ok, I could steal the Debian Live script part that builds a source
code tarball for the live cd if needed.
> Shouldn't I have every software that I need to install in an empty
> machine to make this build?
That's called installing Debian. You _could_ do this using a live
Debian image to build. I would not recommend doing that, as I think
you'll end up with a lot of extra work that work.
Yeah, instead of a Debian live image I am now thinking about a docker image.
But that's not my problem... you know.... this is Super Grub2 Disk and
if I attach binaries from a third party (shimx64.efi.signed and
grubx64.efi.signed) I want to add their own source code.
And that's where Debian is not so good at giving me the source code of
these two particular packages.
Because as you explain later you cannot rely solely on running apt-get
source shim-signed ( or download the corresponding Debian Source package).
[...]
> In addition to this I think I need the source code of the tools that
> you use for:
> - Creating your CA
There aren't any tools as such, it was done by running certutil by
hand.https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO#Your_CA has
some steps that look quite reasonable.
Ok. I was expecting the steps there described bundled onto an script
saved into the shim-signed source package.
> - Creating CSR so that Microsoft signs your certificate
It's done using a tool from digicert, called by hand.
I see.
> - Sign shim with your CA (or maybe this is signed by Microsoft itself).
It is signed by MS.
Ok.
> - Sign grub with your CA
https://wiki.debian.org/SecureBoot/Discussion talks about the design for
the signing machinery. While you could run it yourself, it's probably
overkill for a small operation.
Yeah, it's not for my own personal usage.
It's about willingness to comply on supplying the associated source code
next to the binaries.
> I mean, all of these tools that in some extent contribute to the
> signed shim and grub binaries.
shim and grub are quite separate. We sign grub ourselves, so that's
more resembling a normal-ish build. Shim is uploaded to MS with a code
signing signature and we get a signed version back where we then
reattach that signature as part of the build process for shim-signed.
I see.
So, let me reask my original question again in slightly different manner.
1) DFSG says ( https://www.debian.org/social_contract.en.html#guidelines ):
2. Source Code. The program must include source code, and must
allow distribution in source code as well as compiled form
2) Signed Shim packages
You can take a look at: https://packages.debian.org/bullseye/shim-signed
which includes:
shimx64.efi.signed
As it is explained in https://wiki.debian.org/SecureBoot/Discussion it
has two parts the 'classic binary' and the 'signature'.
I assume that the 'classic binary' build source code is found in the
correspondent source package which it is
https://packages.debian.org/source/bullseye/shim-signed .
The way you have so far described how this is signed I can only assume
that the 'signature' build process is NOT found in the correspondent
source package which it is
https://packages.debian.org/source/bullseye/shim-signed .
So...
2.1) How can Debian itself comply against their own DFSG guidelines if
they are not supplying the source code of one of their binary parts?
2.2) Or maybe as it is a signature... then it is not a binary program?
And thus it does not need to have its associated source code?
3) Signed Grub packages
You can take a look at:
https://packages.debian.org/bullseye/grub-efi-amd64-signed which includes:
gcdx64.efi.signed
grubx64.efi.signed
.
The same questions that I had with signed Shim package I also have with
signed Grub package. What about the source code related to the signature?
Why isn't it already a part of the correspondent source code package?
Maybe it's not need at all?
4) Finally, let's assume that a signature is not the same thing as a
binary program and thus we don't care about its source code...
4.1) Given: shimx64.efi.signed do you think it's good enough to download
these source packages?
https://packages.debian.org/source/bullseye/shim-signed
https://packages.debian.org/source/bullseye/shim
4.2) Given: grubx64.efi.signed do you think it's good enough to download
these source packages?
https://packages.debian.org/source/bullseye/grub-efi-amd64-signed
https://packages.debian.org/source/bullseye/grub2
The idea here is not to download all of the packages/source code that
you need to build non signed Debian's shim and grub packages on your own
(as I originally envisaged).
But rather than that I would say: "This is upstream 'tarball' which
contains the source code for the binaries I have 'stolen' from Debian
GNU/Linux. Make sure to read read/install their requirements (
debian/control ) in order to build them."
Thank you for your insights.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
adrian15
--
Support free software. Donate to Super Grub Disk. Apoya el software libre. Dona a Super Grub Disk. http://www.supergrubdisk.org/donate/
Reply to: