[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Problems with shim and shim-signed in unstable, and proposed solutions to unblock us

[ Note CCs to multiple lists - we know multiple groups of people have
  an interest in this... ]

Hi folks,

We have issues with the setup of the shim and shim-signed packages in
unstable at the moment, which is quite awkward to fix. See #922179 for
the original bug report.

shim and shim-signed have an ... awkward relationship, which causes us
multiple problems at the moment.
    1. shim is the primary source package, building one binary package
       which included several EFI binaries - the shimx64.efi binary
       itself, plus two helpers (fbx64.efi.signed and

    2. shimx64.efi is the EFI binary that is submitted to Microsoft
       for signing - it's the core of our Secure Boot implementation
       (like all Linux distros)
    2b. The MS-signed binary (shimx64.efi.signed) is shipped in the
        shim-signed source package and passed through to the
        shim-signed binary package
    2c. The shim-signed source package validates that the binary
        matches what we built in shim, and checks the signature

    3. For $reasons, the existing shim-signed binary package has a
       strict versioned dependency on the shim binary package to pull
       in the helper binaries for installation. We are very much
       planning on fixing this, but this is the historical setup.

    4. As requested, Steve Langasek uploaded a new upstream version of
       shim to unstable (15+1533136590.3beb971-2, which is there right

    5. Until we get an MS signature on a new shim binary, we will
       *not* have a matching shim-signed binary package, so for now we
       still have the *old* (1.28+nmu1+0.9+1474479173.6c180c6-1)
       shim-signed binary and source in unstable.

    6. Everything works OK right now in buster, but...

    7. Right now, shim-signed is not installable in sid, which means that:
    7a. People can't test SB in unstable
    7b. (Worse) as shim-signed is a build-dep for d-i on amd64 (to be
        able to make SB-compatible installer images) we currently
        can't build d-i

    8. We don't have an ETA for a new signature from MS which would
       unblock us. At *best*, we're expecting a few weeks. It's out of
       our control.

FTAOD: this dependency problem has been here as a time bomb ever since
day 1 of shim in Debian. We just haven't ever noticed as nobody was
using these packages until very recently. Apologies for not spotting
the problem before we uploaded newer versions and triggered
this. AFAIK Ubuntu have got away with a very similar configuration due
to a different archive setup.

We're planning on redoing the packaging to get away from these
problems ASAP so this problem will not recur. However, fixing things
cleanly now is not easy:
     1. We can't simply re-upload a new shim source package to get a
        new shim binary with the same version number as the old one
     2. The old version of the shim binary package is encoded in the
        dependencies of the shim-signed binary package
     3. We cannot reproduce the shimx64.efi EFI binary if we rebuild
        it today (Cyril has tried multiple ways), so we *cannot*
        simply upload a new shim source package and hope...

So, we're looking at three hacky options options here to work our way
out of this hole. In (probably?) descending order of hackitude:
    1. Ask the nice ftpmaster people to bodge the archive by hand:
    1a. Remove the current shim source and binary packages from
        unstable (version 15+1533136590.3beb971-2)
    1b. Copy the older source and binary from buster back into
        unstable for us.
    1c. We're not even sure if this is *possible*, let alone a nice
        thing to do - thoughts?
    1d. Expecting that this might break all kinds of tools inside and
        outside of the archive maybe?
    2. Upload new bodged versions of shim and shim-signed to get us
       back to working with the previously-signed shimx64.efi.signed
    2a. Create new shim and shim-signed source packages, along with
        matching binary packages.
    2b. These binary packages will contain the *exact* same EFI
        binaries as we have in buster but with a higher version number
        in the packaging.
    2c. As we cannot *exactly* reproduce the binaries sensibly, we
        will have to hand-hack the contents of the binary packages.
    2d. We *know* this is grotty too, but we can at least make this
        work entirely at a package level.
    2e. Already tested and working: Cyril has built packages like this
        and I have tested the results successfully on my test SB
        system here.

        Current versions in buster:
         - shim:
            - source: 0.9+1474479173.6c180c6-1
            - binary: 0.9+1474479173.6c180c6-1
         - shim-signed:
            - source: 1.28+nmu1
            - binary: 1.28+nmu1+0.9+1474479173.6c180c6-1

        Possible versions targetting sid:
         - shim:
             - source: 16+1474479173.6c180c6-1 (bumped “epoch-like” N+
               prefix, but same contents as 0.9+1474479173.6c180c6-1)
             - binary: 16+1474479173.6c180c6-1
         - shim-signed:
             - source: 1.28+nmu2 (new upload to adjust the Depends)
             - binary: 1.28+nmu2+16+1474479173.6c180c6-1


    3. Upload new version of the shim-signed source package and a
       (lightly) bodged binary package
    3a. Use versions:
             - source: 1.28+nmu2
             - binary: 1.28+nmu2+0.9+1474479173.6c180c6-1
    3b. Needs as build-deps an old version of sbsigntool (0.6-3.2) and
        specifically version 0.9+1474479173.6c180c6-1 of shim in the
        build chroot
    3c. Then upload source+amd64
    3d. New shim-signed binary package changes in a few ways:
        * new version of the binary now include fbx64.efi.signed and
          mmx64.efi.signed (copied across from the shim binary package)
        * add Replaces: shim (= 0.9+1474479173.6c180c6-1) so we don't
          conflict on those binaries
        * remove Depends: shim (the whole point!)
        * change Build-Depends to list the specific versions used for
          shim and sbsigntool
    3e. Already tested and working. I built this (source and binary
        debdiffs attached) and tested OK on SB system
    3f. This package is instantly RC-buggy due to the unavailable
        build-deps. We know...
I'm deliberately notifying a number of likely interested teams here
about this problem and our three suggested solutions, so we can get
feedback and work out the best way forwards. If somebody else can
think of a better solution than any of our three suggestions, we'd
love to hear it!

As I said, we'll be uploading new packages with a better relationship
to fix this problem for future versions. That will become even more
important as we extend SB support to more than simply amd64
systems. shim is now designed to build reproducibly, which will also
help us to avoid/work around any similar issues in future. We will
also be integrating support for Debian's new signing service (to sign
the helper binaries in a better manner).

So, please - what do you think?

Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
(buster-amd64-devel)kibi@armor:~/work/bsp/secure-boot/redo$ (debdiff shim_*.dsc; echo; echo =====; echo; debdiff shim_*.deb; echo; echo ====; echo; debdiff shim-signed_*.dsc; echo; echo ====; echo; debdiff shim-signed_*.deb) 2>/dev/null
diff -Nru shim-0.9+1474479173.6c180c6/debian/changelog shim-16+1474479173.6c180c6/debian/changelog
--- shim-0.9+1474479173.6c180c6/debian/changelog	2016-10-15 13:17:34.000000000 +0000
+++ shim-16+1474479173.6c180c6/debian/changelog	2019-03-03 20:54:44.000000000 +0000
@@ -1,3 +1,17 @@
+shim (16+1474479173.6c180c6-1) unstable; urgency=medium
+  * Re-upload 0.9+1474479173.6c180c6-1 with a version number that's higher
+    than 15+1533136590.3beb971-1, superseding the version currently in
+    unstable that has no matching shim-signed packages with updated
+    signatures (See: #922179).
+  * The shim binary package isn't actually getting rebuilt with this upload,
+    as it cannot be built reproducibly; this would invalidate the signature
+    shipped in the shim-signed package. So this new source package is
+    accompanied by the old binary package (from 0.9+1474479173.6c180c6-1),
+    repacked as a newer version (16+1474479173.6c180c6-1).
+ -- Cyril Brulebois <kibi@debian.org>  Sun, 03 Mar 2019 20:54:44 +0000
 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
   [ Steve Langasek ]


File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
Version: [-0.9+1474479173.6c180c6-1-] {+16+1474479173.6c180c6-1+}


diff -Nru shim-signed-1.28+nmu1/debian/changelog shim-signed-1.28+nmu2/debian/changelog
--- shim-signed-1.28+nmu1/debian/changelog	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/changelog	2019-03-03 20:57:35.000000000 +0000
@@ -1,3 +1,14 @@
+shim-signed (1.28+nmu2) unstable; urgency=medium
+  * Update dependency to the repacked, old version of shim, fixing
+    installability issues. Closes: #922179.
+  * This package isn't actually rebuilt against the repacked shim as tooling
+    changed a bit (regarding how packing is handled), so the old shim-signed
+    binary (1.28+nmu1+0.9+1474479173.6c180c6-1) is repacked as well,
+    updating the following fields: Depends, Source, Version.
+ -- Cyril Brulebois <kibi@debian.org>  Sun, 03 Mar 2019 20:57:35 +0000
 shim-signed (1.28+nmu1) unstable; urgency=medium
   * Non-maintainer upload.


File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
Depends: debconf (>= 0.5) | debconf-2.0, shim (= [-0.9+1474479173.6c180c6-1),-] {+16+1474479173.6c180c6-1),+} grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
Source: shim-signed [-(1.28+nmu1)-] {+(1.28+nmu2)+}
Version: [-1.28+nmu1+0.9+1474479173.6c180c6-1-] {+1.28+nmu2+16+1474479173.6c180c6-1+}

No differences were encountered between the postinst files

No differences were encountered between the postrm files

No differences were encountered between the templates files

No differences were encountered between the triggers files
diff -Nru shim-signed-1.28+nmu1/Makefile shim-signed-1.28+nmu2/Makefile
--- shim-signed-1.28+nmu1/Makefile	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/Makefile	2019-03-03 22:27:43.000000000 +0000
@@ -9,6 +9,8 @@
 	cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed
 	sbattach --attach build/detached-sig build/shimx64.efi.signed
 	cmp shimx64.efi.signed build/shimx64.efi.signed
+	cp /usr/lib/shim/fbx64.efi.signed build
+	cp /usr/lib/shim/mmx64.efi.signed build
 	rm -rf build
diff -Nru shim-signed-1.28+nmu1/debian/changelog shim-signed-1.28+nmu2/debian/changelog
--- shim-signed-1.28+nmu1/debian/changelog	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/changelog	2019-03-03 22:33:41.000000000 +0000
@@ -1,3 +1,16 @@
+shim-signed (1.28+nmu2) unstable; urgency=medium
+  * Non-maintainer upload.
+  * Copy the helper binaries from the shim binary so that we no longer
+    need to depend on it. See #922179 for more details. Add a Replaces:
+    shim and to allow us to over-write binaries there.
+  * Explicitly uploading in a chroot with older binaries installed for
+    shim and sbsigntool, and update Build-Depends to point to those
+    speficic versions. This package will *not* function with other
+    versions installed.
+ -- Steve McIntyre <93sam@debian.org>  Sun, 03 Mar 2019 22:33:41 +0000
 shim-signed (1.28+nmu1) unstable; urgency=medium
   * Non-maintainer upload.
diff -Nru shim-signed-1.28+nmu1/debian/control shim-signed-1.28+nmu2/debian/control
--- shim-signed-1.28+nmu1/debian/control	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/control	2019-03-03 22:33:41.000000000 +0000
@@ -2,12 +2,19 @@
 Section: utils
 Priority: optional
 Maintainer: Steve Langasek <vorlon@debian.org>
-Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
+Build-Depends: debhelper (>= 9),
+# Need shim version 0.9+1474479173.6c180c6-1 so we can check the
+# signature on the right version of shim
+ shim (= 0.9+1474479173.6c180c6-1),
+# sbsigntool version 0.6-3.2 (newer versions do different things with
+# padding and the signatures don't match correctly)
+ sbsigntool (= 0.6-3.2), po-debconf
 Standards-Version: 3.9.4
 Package: shim-signed
 Architecture: amd64
-Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Depends: ${misc:Depends}, grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Replaces: shim (= ${shim:Version})
 Recommends: secureboot-db
 Built-Using: shim (= ${shim:Version})
 Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
diff -Nru shim-signed-1.28+nmu1/debian/rules shim-signed-1.28+nmu2/debian/rules
--- shim-signed-1.28+nmu1/debian/rules	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.28+nmu2/debian/rules	2019-03-03 22:33:41.000000000 +0000
@@ -8,6 +8,11 @@
 docdir := debian/shim-signed/usr/share/doc/shim-signed
+	dh_install
+	cp /usr/lib/shim/fbx64.efi.signed debian/shim-signed/usr/lib/shim
+	cp /usr/lib/shim/mmx64.efi.signed debian/shim-signed/usr/lib/shim
 	# Quieten lintian, which otherwise gets confused by our odd version
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-rw-r--r--  root/root   /usr/lib/shim/fbx64.efi.signed
-rw-r--r--  root/root   /usr/lib/shim/mmx64.efi.signed

Control files: lines which differ (wdiff format)
Depends: debconf (>= 0.5) | debconf-2.0, [-shim (= 0.9+1474479173.6c180c6-1),-] grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
Installed-Size: [-1186-] {+2399+}
{+Replaces: shim (= 0.9+1474479173.6c180c6-1)+}
Source: shim-signed [-(1.28+nmu1)-] {+(1.28+nmu2)+}
Version: [-1.28+nmu1+0.9+1474479173.6c180c6-1-] {+1.28+nmu2+0.9+1474479173.6c180c6-1+}

Attachment: signature.asc
Description: PGP signature

Reply to: