Re: Bug#996202: EFI Secure Boot for systemd-boot

To: Luca Boccassi <bluca@debian.org>
Cc: 996202@bugs.debian.org, waldi@debian.org, biebl@debian.org, debian-efi@lists.debian.org
Subject: Re: Bug#996202: EFI Secure Boot for systemd-boot
From: Steve McIntyre <steve@einval.com>
Date: Mon, 4 Mar 2024 23:27:39 +0000
Message-id: <[🔎] 20240304232739.GB8119@tack.einval.com>
In-reply-to: <[🔎] 46c8817f5ce260d0c2859da644b8dc90803dca93.camel@debian.org>
References: <20211012092227.GB5493@shell.thinkmo.de> <handler.996202.B.16340311107955.ack@bugs.debian.org> <20211119083300.GA21185@shell.thinkmo.de> <[🔎] 46c8817f5ce260d0c2859da644b8dc90803dca93.camel@debian.org>

Hey folks,

On Mon, Mar 04, 2024 at 02:13:25AM +0000, Luca Boccassi wrote:
>On Fri, 19 Nov 2021 09:33:00 +0100 Bastian Blank <waldi@debian.org>
>wrote:
>> Hi
>> 
>> I'm rescinding this request.  I've got a working prototype, but I
>don't
>> know where this would go.
>> 
>> Bastian
>
>The upstream Shim reviewers group now accepts systemd-boot as a 2nd
>stage bootloader, trusted by Shim builds signed with the UEFI 3rd party
>CA. This clears the way for Debian's CA to sign systemd-boot, so I am
>reopening this bug.
>
>shim-review questionnaire update that allows systemd-boot:
>
>https://github.com/rhboot/shim-review/pull/357
>
>MR on Salsa to add the usual template package, adapted from Bastian's
>MR from a couple of years ago:
>
>https://salsa.debian.org/systemd-team/systemd/-/merge_requests/252
>
>Debian Shim maintainers, who do we need to seek approvals for this to
>happen? Shim maintainers first of course, anybody else? Release team?
>FTP team?

OK, I can see what you're doing with templating here, and it looks
clear and obvious. But: this seems to be for standalone systemd-boot
rather than UKI? I thought UKI was the preferred way forward?

I'm a little surprised to see you adding riscv64 stuff - AFAIK there's
nobody (yet) providing any root CA for riscv64? We certainly haven't
done anything with it in Debian yet.

What's your plan for installing as the secondary boot loader for shim
to call?

Modulo those questions, let's talk infrastructure. Off the top of my
head, in no particular order...

  * We'll need to create a new intermediate signing cert for
    systemd-boot (and another for UKI, I guess). Given recent
    discussions about changing the way we build and sign kernels, we
    should also generate a new signer cert for those too. And if we're
    going that far, we may as well generate a complete new set of 2024
    certs. [Sorry, rabbithole. :-)] We'll need to talk to DSA about
    doing this piece.

  * We'll probably need to add things to the signing setup for
    ftp-master. Nothing earth-shattering, just some config to
    recognise the new set of packages IIRC. I'm sure Bastian can
    manage this. :-)

  * Are people from the team ready to deal with long-term security
    support for the systemd-boot chain?

That's all I can think of for now, but I wouldn't be surprised if more
comes to mind tomorrow... :-)

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Into the distance, a ribbon of black
Stretched to the point of no turning back

Reply to:

Follow-Ups:
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Luca Boccassi <bluca@debian.org>

References:
- Re: Bug#996202: EFI Secure Boot for systemd-boot
  - From: Luca Boccassi <bluca@debian.org>

Prev by Date: Re: Bug#996202: EFI Secure Boot for systemd-boot
Next by Date: Re: Bug#996202: EFI Secure Boot for systemd-boot
Previous by thread: Re: Bug#996202: EFI Secure Boot for systemd-boot
Next by thread: Re: Bug#996202: EFI Secure Boot for systemd-boot
Index(es):
- Date
- Thread