[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reverted changes on https://wiki.debian.org/SecureBoot

Hi Steve,
  1. No worries. Thank you for reviewing my changes as well. This is my first honest to goodness contribution to the Debian community and I was worried yesterday when the changes went live immediately.

  2. Quick question: about the x509 chain of trust investigation I added, do you know where I should upstream the knowledge for those who want to spin a SB CA and cert from their existing chain (e.g. company private CA -->  spin MOK CA --> spin MOK key + cert?
    1. This knowledge is suitable for those who maintain multiple different fleets of SB computing hardware where a MOK CA cert is a lot easier to maintain compared to generating root CA for each machine as guided in wiki.
    2. Given the fact that wiki caters for all levels of users, x509 itself and its maintenance is already complicated to do it securely, I really do not want to complicate Debian user experience. In the worst case scenario, I can write a technical paper and upload to Zenodo to preserve the knowledge if that's needed. Please advise.
    3. List of data I tested:
      1. ED25519 x509 implementation investigation - verdict: ED25519 is not supported.
      2. The issuer-subject must be SHAX-RSA2048 matter (is this a bug?) - verdict: Stick to using RSA2048. SHA256 and SHA512 hashers were tested working.
      3. The steps to chain ED25519 upstream into RSA2048 MOK CA
      4. The minimal x509 configurations for MOK CA and MOK cert

  3. As for the upgrade instructions part, understood and duly noted. Will cross-check the shim-signed and grub-efi-amd64-signed deb packages with the data here later. I was coming from the debootstrap minimal-base path complying to https://wiki.debian.org/DontBreakDebian.

  4. Also, the strict "--bootloader-id=debian" condition where if it is changed to something else, the shimx64.efi failed to locate /boot/grub.cfg. Is this behavior a bug or expected limitation from signed shim?
Thanks in adv!

Regards,
Holloway

ZORALab Enterprise (002599169-M)
Through Knowledge With Serve

____________________________________________________________
If you are not the intended recipient, please contact the sender immediately and delete all copies. The sender holds zero liability for any damages caused. If the content is digitally and cryptographically signed and/or encrypted by GNU Privacy Guard (GPG) key, please seek out the public key with the sender email at https://www.zoralab.com/pubkey.gpg


On Mon, Aug 15, 2022 at 8:52 PM Steve McIntyre <93sam@debian.org> wrote:
Hi!

I'm one of the members of the EFI team in Debian, responsible for
most of the UEFI packages in Debian, including shim.

I've backed out the changes you've made to the SecureBoot page here,
as I believe them to be misleading, overly-complicated and potentially
dangerous for users to follow.

To switch from a non-SB setup to a SB setup does not need people to
use a live image. Suggesting that people should clear the contents of
/boot/efi is both needless and *dangerous* - it will break any
dual-boot systems, for example. There's also no need to run
grub-install manually, and that may cause further issues.

The *right* way to switch (if needed), is simple. From a running
system:

$ sudo apt-get install shim-signed grub-efi-amd64-signed

That should do everything that's needed. If you find any places where
that does *not* work, please file bugs.

If you want to talk about issues here, please follow up on the
debian-efi mailing list (in CC).

--
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"When C++ is your hammer, everything looks like a thumb." -- Steven M. Haflich




Reply to: