Secure boot signing infrastructure - feedback request

Ben Hutchings ben at decadent.org.uk
Mon Oct 9 13:01:15 UTC 2017 

On Thu, 2017-10-05 at 14:57 -0300, Helen Koike wrote:
> Hello all,
> 
> As you probably already know, Debian doesn't support the Secure Boot
> chain yet.
> To support it we need to sign Grub and the Kernel with our key, so we
> are discussing the best infrastructure for this workflow.
> 
> The first approach we had was to add a by-hand script in Dak as
> described here
> https://wiki.debian.org/SecureBoot#First_option:_by-hand_script_in_dak
> But this option wasn't well received by the ftpteam

I would like to know what the objection was.

> The second approach we have is to add some debhelper scripts (e.g
> dh_sign...) that will access a signing service which will sign the
> binaries with Debian's key.  We would use the dh_sign... helpers when
> making an extra binary package. buildd would then publish the -signed
> version of the package in the archives.
> Please see a more detailed explanation here
> https://wiki.debian.org/SecureBoot#Second_option:_use_buildd_.2B-_debhelper_instead_of_dak
> A current known issue with this approach is the NEW queue: it requires
> the maintainer to also upload binaries for an architecture on first
> upload, and these binaries are not rebuilt by the buildd ( see
> https://wiki.debian.org/SecureBoot#Issues ).

It also makes all these packages unreproducible, which is a policy
violation.

It also appears to mean that buildds can get anything signed on demand
with no human intervention at all, without all the checks that dak does
on uploads.  This seems to be to substantially raise the risk of
signing evil code and needing to revoke those signatures (or the
signing key).

Plus the reliability issues you pointed out on the wiki.

> I would like to know everyone's opinions about these approaches, if you
> agree to go forward with the second approach described above and how do
> we solve the NEW queue policy issue.

So far as I can see, the second approach is difficult, risky,
unreliable and leads to policy violations.

On the other side... there is an FTP team objection with no documented
explanation.

Ben.

-- 
Ben Hutchings
Humour is the best antidote to reality.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20171009/1b6da0c2/attachment.sig>

More information about the Pkg-grub-devel mailing list