Re: Debian Signed shim and grub images source code request

To: debian-efi@lists.debian.org
Subject: Re: Debian Signed shim and grub images source code request
From: Tollef Fog Heen <tfheen@err.no>
Date: Sun, 11 Dec 2022 21:12:09 +0100
Message-id: <[🔎] 87v8mhwvhi.fsf@err.no>
Mail-followup-to: debian-efi@lists.debian.org
In-reply-to: <[🔎] 000fbf98-c8b0-4e18-3851-b32c6b606af7@gmail.com> (adrian's message of "Sun, 11 Dec 2022 16:26:17 +0100")
References: <13f3ec6d-4e9f-eec3-2856-be1b44a04e43@gmail.com> <[🔎] 000fbf98-c8b0-4e18-3851-b32c6b606af7@gmail.com>

]] adrian15 

[snipping a bunch]

> But that's not my problem... you know.... this is Super Grub2 Disk and
> if I attach binaries from a third party (shimx64.efi.signed and 
> grubx64.efi.signed) I want to add their own source code.
> 
> And that's where Debian is not so good at giving me the source code of
> these two particular packages.

The source is what you get if you do apt-get source shim-signed.  This
will only get you the source for the signing-specific bits, though.  For
the rest, you need to follow build-dependencies.

> > [...]
> >
> > > In addition to this I think I need the source code of the tools that
> > > you use for:
> > > - Creating your CA
> >
> > There aren't any tools as such, it was done by running certutil by
> > hand.https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO#Your_CA  has
> > some steps that look quite reasonable.
>
> Ok. I was expecting the steps there described bundled onto an script
> saved into the shim-signed source package.

shim-signed doesn't have access to any key material, so I don't know why
you expected that.

> You can take a look at:
> https://packages.debian.org/bullseye/shim-signed which includes:
> shimx64.efi.signed
> 
> As it is explained in https://wiki.debian.org/SecureBoot/Discussion it
> has two parts the 'classic binary' and the 'signature'.
> 
> I assume that the 'classic binary' build source code is found in the
> correspondent source package which it is 
> https://packages.debian.org/source/bullseye/shim-signed .

No, the source code for the unsigned shim is in the «shim» source
package.  The signature comes from Microsoft and is considered its own
source code.  (Generating your own signed shim is trivial, but the key
it's signed by won't be trusted by the UEFI firmwares out in the world,
so it's not terribly useful).

> 2.1) How can Debian itself comply against their own DFSG guidelines if
> they are not supplying the source code of one of their binary parts?

Key material generally isn't considered source code, since providing
that alongside the source code would make the key material useless.

> 3) Signed Grub packages
> 
> You can take a look at:
> https://packages.debian.org/bullseye/grub-efi-amd64-signed which
> includes:
> gcdx64.efi.signed
> grubx64.efi.signed
> 
> The same questions that I had with signed Shim package I also have
> with signed Grub package. What about the source code related to the
> signature?
> Why isn't it already a part of the correspondent source code package?
> Maybe it's not need at all?

Since we sign our own grub, we have a robot that acts when there is a
new unsigned grub in the archive and signs that using the Debian key.
Generating your own key is well-documented and trivial, and we provide
the software for the robot, but providing the key material itself would
render it useless, so we don't do that.

> 4) Finally, let's assume that a signature is not the same thing as a
> binary program and thus we don't care about its source code...

DFSG and how we think about freeness isn't about «binary programs»,
though.

> 4.1) Given: shimx64.efi.signed do you think it's good enough to
> download these source packages?
> 
> https://packages.debian.org/source/bullseye/shim-signed
> https://packages.debian.org/source/bullseye/shim
> 
> 4.2) Given: grubx64.efi.signed do you think it's good enough to
> download these source packages?
> 
> https://packages.debian.org/source/bullseye/grub-efi-amd64-signed
> https://packages.debian.org/source/bullseye/grub2

I'm quite reluctant to give you something resembling legal advice.  I
think you'd be in the clear if you do that, but I'm not a lawyer, and
certainly not yours, so you should either make that call yourself or in
consultation with somebody who is your lawyer.

> The idea here is not to download all of the packages/source code that
> you need to build non signed Debian's shim and grub packages on your
> own (as I originally envisaged).
> But rather than that I would say: "This is upstream 'tarball' which
> contains the source code for the binaries I have 'stolen' from Debian 
> GNU/Linux. Make sure to read read/install their requirements (
> debian/control ) in order to build them."

You're not stealing anything, though.  I'd use «taken» or a similar more
neutral verb.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: Debian Signed shim and grub images source code request
  - From: adrian15sgd <adrian15sgd@gmail.com>

References:
- Re: Debian Signed shim and grub images source code request
  - From: adrian15 <adrian15sgd@gmail.com>

Prev by Date: Re: Debian Signed shim and grub images source code request
Next by Date: Re: Debian Signed shim and grub images source code request
Previous by thread: Re: Debian Signed shim and grub images source code request
Next by thread: Re: Debian Signed shim and grub images source code request
Index(es):
- Date
- Thread