[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: UEFI Revocation List being distributed by Debian

> -----Original Message-----
> From: Steve Langasek <vorlon@debian.org>
> Sent: Friday, May 8, 2020 3:35 PM
> To: Limonciello, Mario
> Cc: debian-legal@lists.debian.org
> Subject: Re: UEFI Revocation List being distributed by Debian
> Hi Mario,
> On Thu, May 07, 2020 at 02:25:41AM +0000, Mario.Limonciello@dell.com wrote:
> > Hello,
> > Recently there has been a discussion within upstream fwupd to start
> > including the UEFI dbx revocation list directly with the fwupd package.
> > During the code review for this as part of reviewing the terms included
> > with it there are concerns if this would fit within the DFSG.  Would it be
> > possible to request a review of these terms to determine if this is
> > appropriate to distribute in Debian?
> > https://uefi.org/revocationlistfile
> > Furthermore, if it is not acceptable to distribute this raw data in
> > Debian, one of the options being considered is to programmatically
> > re-generate a list of invalid hashes but without the signatures in the
> > original file.  Would that be acceptable to distribute in Debian instead?
> First, the license is not an end-user license and if someone chooses to
> agree to the license as part of downloading, this appears to only be binding
> on the downloader; it is not a license that must be included in the
> redistribution to users (as debian/copyright).
> Second, the following URL is accessible without affirmatively agreeing to
> the license.
>   http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
> Third, the contents of this file are a non-copyrightable list of statements
> of mathematical facts.  Distribution of this file is not subject to
> copyright law.
> I don't think there is any issue with Debian distributing this file.

If this similar sentiment is agreed upon others in this list I think it makes
most sense to create a new package for this.  I don't feel it should be distributed
as part of fwupd, just like Ubuntu distributes it as part of secureboot-db.

> FWIW Ubuntu already distributes this file in the secureboot-db package.  I
> do not think that Ubuntu would want to enable updates of the revocation list
> via the fwupd package since revocations could in principle impact the
> bootability of the system (if the dbx update included a hash of Ubuntu's
> shim, or Ubuntu's signing key).  dbx updates should be carefully managed in
> conjunction with updates to the bootloader itself, which the tighter
> coupling of a directly-managed native package gives us.  I think similar
> reasoning would apply for Debian.

You might have missed the previous intent discussed earlier in the thread.
There is no intent for fwupd enabling the updated of the revocation list.
The intent was to compare whether the firmware already contains everything
in the latest revocation list to notify the user if items are missing as part
of an upcoming security measurement feature.

I completely agree the revocation list needs to be rolled out in tandem with
updated bootloaders should the need arise.

Reply to: