UEFI Secure Boot sprint report

To: debian-project@lists.debian.org
Subject: UEFI Secure Boot sprint report
From: Tollef Fog Heen <tfheen@debian.org>
Date: Sun, 29 Apr 2018 21:43:04 +0200
Message-id: <[🔎] 8736zdx0hj.fsf@err.no>
Mail-followup-to: debian-project@lists.debian.org

People from the FTP team, kernel team and DSA, as well as other
interested individuals met in Fulda, Germany for a sprint with the goal
of deciding and implementing the workflow for Secure Boot.

Participants
------------
* Ansgar Burchardt
* Joerg Jaspert
* Luke W. Faraone
* Ben Hutchings
* Tollef Fog Heen
* Helen Koike
* Philipp Hahn
* Julien Cristau [remote]
* Steve McIntyre [remote]

We had a long discussion about what requirements we had for the
signing process, whether that could happen inline in the regular build
process, if a human needed to be involved in the signing and how to
best handle embargoed builds.

In the end, we decided to have a signing service which will construct
a source package based on a "template" package and a list of files to
sign and upload this to be processed by the normal buildd and dak
processes. The signing service will also have an audit log which makes
it public what was signed and when.

Once this was agreed and various corner cases ironed out, we started
implementing the signing service, and the necessary changes in the
Linux kernel package, dak, fwupdate, shim and grub. The source for the
signing service can be found at
https://salsa.debian.org/ftp-team/code-signing.

By the end of the sprint, we were able to:
- generate a signing template for Linux kernel modules
- generate a signing template for shim
- generate a signing template for fwupdate
- have DAK detect such signing template packages automatically and
  generate a request for signing
- run the code of the signing box by hand to generate the source code
  packages containing the generated signatures

We're still missing (partially or completely):
- generate a signing template for GRUB2
- have DAK accept those generated source-only uploads

Acknowledgements
-------------------------
the sprint has been possible thanks to:
- the Office Factory for hosting us,
- donations to the Debian project for covering travel and
  accommodation costs for the sprint,
- Dropbox for sponsoring Luke's travel and accomodations,
- Technische Universität Dresden for sponsoring Ansgar's travel and
  accomodations, and
- Univention GmbH for sponsoring Philipp's travel and accomodations,

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: UEFI Secure Boot sprint report
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: Conflict escalation and discipline
Next by Date: Re: UEFI Secure Boot sprint report
Previous by thread: Re: Power-Management
Next by thread: Re: UEFI Secure Boot sprint report
Index(es):
- Date
- Thread