[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Signed shim and grub images source code request

El 11/12/22 a las 21:12, Tollef Fog Heen escribió:

]] adrian15

[snipping a bunch]


But that's not my problem... you know.... this is Super Grub2 Disk and
if I attach binaries from a third party (shimx64.efi.signed and
grubx64.efi.signed) I want to add their own source code.

And that's where Debian is not so good at giving me the source code of
these two particular packages.

The source is what you get if you do apt-get source shim-signed.  This
will only get you the source for the signing-specific bits, though.  For
the rest, you need to follow build-dependencies.
Ok. That's what I was suspecting and why I added down below as download more source packages. 
[...]


In addition to this I think I need the source code of the tools that
you use for:
- Creating your CA

There aren't any tools as such, it was done by running certutil by
hand.https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO#Your_CA  has
some steps that look quite reasonable.

Ok. I was expecting the steps there described bundled onto an script
saved into the shim-signed source package.

shim-signed doesn't have access to any key material, so I don't know why
you expected that.
I expected that because you need a key to build the final binary (classic-binary + signature). But, yeah, you actually do not need it because an external tool (with an external key) signs it so... you are right. 


You can take a look at:
https://packages.debian.org/bullseye/shim-signed which includes:
shimx64.efi.signed

As it is explained in https://wiki.debian.org/SecureBoot/Discussion it
has two parts the 'classic binary' and the 'signature'.

I assume that the 'classic binary' build source code is found in the
correspondent source package which it is
https://packages.debian.org/source/bullseye/shim-signed .

No, the source code for the unsigned shim is in the «shim» source
package.

I was suspecting that shim was the actual source package. Nice.

   The signature comes from Microsoft and is considered its own
source code.  (Generating your own signed shim is trivial, but the key
it's signed by won't be trusted by the UEFI firmwares out in the world,
so it's not terribly useful).

Yeah, makes sense.

2.1) How can Debian itself comply against their own DFSG guidelines if
they are not supplying the source code of one of their binary parts?

Key material generally isn't considered source code, since providing
that alongside the source code would make the key material useless.

If key material is not source code then it simplifies things for me.

3) Signed Grub packages

You can take a look at:
https://packages.debian.org/bullseye/grub-efi-amd64-signed which
includes:
gcdx64.efi.signed
grubx64.efi.signed

The same questions that I had with signed Shim package I also have
with signed Grub package. What about the source code related to the
signature?
Why isn't it already a part of the correspondent source code package?
Maybe it's not need at all?

Since we sign our own grub, we have a robot that acts when there is a
new unsigned grub in the archive and signs that using the Debian key.
Generating your own key is well-documented and trivial, and we provide
the software for the robot, but providing the key material itself would
render it useless, so we don't do that.

I understand.

4) Finally, let's assume that a signature is not the same thing as a
binary program and thus we don't care about its source code...

DFSG and how we think about freeness isn't about «binary programs»,
though.
Not sure what you mean by this sentence but it's ok if you don't divert on that explanation because I'm more concerned in technical side of things right now. 


4.1) Given: shimx64.efi.signed do you think it's good enough to
download these source packages?

https://packages.debian.org/source/bullseye/shim-signed
https://packages.debian.org/source/bullseye/shim

4.2) Given: grubx64.efi.signed do you think it's good enough to
download these source packages?

https://packages.debian.org/source/bullseye/grub-efi-amd64-signed
https://packages.debian.org/source/bullseye/grub2

I'm quite reluctant to give you something resembling legal advice.  I
think you'd be in the clear if you do that, but I'm not a lawyer, and
certainly not yours, so you should either make that call yourself or in
consultation with somebody who is your lawyer.

Ok, I understand your reply.

The idea here is not to download all of the packages/source code that
you need to build non signed Debian's shim and grub packages on your
own (as I originally envisaged).
But rather than that I would say: "This is upstream 'tarball' which
contains the source code for the binaries I have 'stolen' from Debian
GNU/Linux. Make sure to read read/install their requirements (
debian/control ) in order to build them."

You're not stealing anything, though.  I'd use «taken» or a similar more
neutral verb.
It seems I am too used to see 'stolen from ... ' many times in many source code from open source projects. :) 

Good idea suggesting using 'taken' instead of 'stolen'.


Thank you very much for your feedback!
Now I will be able to focus on my Secure Boot implementation on Super Grub2 Disk. 

adrian15
Reply to: