XPost: linux.debian.kernel, linux.debian.maint.boot

Hey all!

Here's a status update and plans for SB and shim. If any of this is
unclear or you have doubts, please say!

We currently have *signed* shim *15.4* packages in the archive, for
all of buster, bullseye, bookworm and sid. That works OK at the
moment, but is getting old (July 2021) and needs updating soonish.

I uploaded shim *15.6* in July 2022 and we attempted to get that
signed too. Reviews were positive, but due to process problems around
Microsoft uploads and then a long delay on getting a needed EV
certificate renewed we never managed to get that signed. :-(

The MS and cert issues are now both resolved, and I'm now working on a
shim *15.7* upload. There's a little more work and testing to do, but
I'm not far off. Yay?

However, there are a couple of caveats to this...

SBAT update
-----------

The new shim build will need to block SB execution of older grub
builds (anything with an SBAT level for grub.debian < 4). The oldest
builds that will continue to work are:

* 2.06-6 (unstable/bookworm)
* 2.06-3~deb11u5 (bullseye)
* 2.06-3~deb10u3 (buster)

This is hopefully not unexpected, but I'm sharing here to be 100%
clear. I'm planning on doing shim 15.7 builds for bullseye and buster
again, so these all matter here.

NX
--

At the end of November 2022 (while unable to get anything signed) we
passed a deadline; new shims since that point must be built with NX
support enabled, and flagged as such. This extra hardening should
improve security more, so it's not a bad thing in general.

*However*, it does have consequences - once shim is loaded by UEFI
firmware and started with NX enabled, all the UEFI binaries downstream
of it *also* have to support NX as well. Patches for grub and linux
are under discussion at the moment, but AFAIK not yet released; I need
to check on the status of fwupd-efi too.

What does this mean for us?

* Older machines with older firmware will continue to work just fine.

* New-enough machines with firmware that enables NX will fail to boot
until we get full NX support through our boot chain. :-( There's a
mitigating factor here: *such* new machines may already reject our
older signed binaries anyway.

We're stuck in a bad situation here I'm afraid; I think the only
sensible way is forward, applying NX patches as soon as they're
ready.

Thoughts?

--
Steve McIntyre, Cambridge, UK. steve@einval.com "Yes, of course duct tape works in a near-vacuum. Duct tape works
anywhere. Duct tape is magic and should be worshipped."
-― Andy Weir, "The Martian"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmPRcOEACgkQWHl5VzRC aE4rPg//YJUL3L8G3S8aDuwgAdeitL7O3MYfUeYRfWHuIT945A2snGCdJCDHMO30 JJS5tuKCH6wJbVRv4FnTV9PLIjuINAviYDNFxYjs2CeDiZmrEjf4T84GjxYM5tEa 6WSWUGLPqT7pMjBJ9lTAFfDLOERbCtzhueqFwg1x9YN5+zioK70Za/XRqjmktMFX MRFpbELks4kSOiK2gbDfBMag0yInU50O0FEoxx3OVG2mPtq9fowzY0b9r7yLV7f8 /amWO1Zcs87zDBvfYyXSdNsh1waZKXWdeF631Pup9GaCHKEvB5OAZpQ6s7b9sf8w qN4WsXjFMuSrsy9nHAo1njNlW5rdoURKejVqnI8npdoJfY9UXePMceO7dE2zzKz9 Q1BJSG3nsoqum1ZoZxbb3C4gaz31ful2sVXLvDDC40AAmcDrwJyFlnxc3zmYEac+ bHrInhTj0H8i8F9cwA/SOsdgxRM1ZwoIjrQOkdTds6Z/3/CQhi/2/JhGXKPVKXXc mZuFC8+lr8MZSN9hX2TI4YWiTDAQHs5xLIQB/N/B1J9/Mp3sz4ZfilF2Gwo8baEC ZM2EJM+fyvd/LgelS1AprVzc/p+c4/uTJTDbsw89t4yGQYPb/37/Uu1CKkQ34Mee dUsv6ZVZxHKArbEYtyE

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi,

When things get built, will there be a path forward for people who
might need grub modules like serial console for accessibility reasons?

Thanks

_J

On 1/25/23, Antonio Terceiro <terceiro@debian.org> wrote:

On Wed, Jan 25, 2023 at 06:11:45PM +0000, Steve McIntyre wrote:

Hey all!

Here's a status update and plans for SB and shim. If any of this is
unclear or you have doubts, please say!

We currently have *signed* shim *15.4* packages in the archive, for
all of buster, bullseye, bookworm and sid. That works OK at the
moment, but is getting old (July 2021) and needs updating soonish.

I uploaded shim *15.6* in July 2022 and we attempted to get that
signed too. Reviews were positive, but due to process problems around
Microsoft uploads and then a long delay on getting a needed EV
certificate renewed we never managed to get that signed. :-(

The MS and cert issues are now both resolved, and I'm now working on a
shim *15.7* upload. There's a little more work and testing to do, but
I'm not far off. Yay?

Have the issues with arm64 been fixed? Will this release provide a
signed arm64 shim?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.kernel, linux.debian.maint.boot

On Wed, Jan 25, 2023 at 06:11:45PM +0000, Steve McIntyre wrote:

Hey all!

Here's a status update and plans for SB and shim. If any of this is
unclear or you have doubts, please say!

We currently have *signed* shim *15.4* packages in the archive, for
all of buster, bullseye, bookworm and sid. That works OK at the
moment, but is getting old (July 2021) and needs updating soonish.

I uploaded shim *15.6* in July 2022 and we attempted to get that
signed too. Reviews were positive, but due to process problems around Microsoft uploads and then a long delay on getting a needed EV
certificate renewed we never managed to get that signed. :-(

The MS and cert issues are now both resolved, and I'm now working on a
shim *15.7* upload. There's a little more work and testing to do, but
I'm not far off. Yay?

Have the issues with arm64 been fixed? Will this release provide a
signed arm64 shim?

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAmPRgFsACgkQ/A2xu81G C94w5xAA0xyRKtpofaYLmWFU/GX8Y4YGrclLpWy+OgXEBAm494FK4ete8+g+pQMm 3m2rM+0PsXzRjyZhMbOGRUBXYmMVUezjdCwzZgBS/dV4G+2iHywSJ+Ebv6OwYhzV haGFysRgQK/nk3hjvq9WM+wnQ8r7jkOEWBcwwHx4uzBz0ZaOAdfZUM3pVd9/vL1f wD9kCbqrgwRJHTQ7iq3p+7NwPMx9kdjPbktg65C6szlIk8KE3KqiWLQBw16h53xi gzzPBbHFAsw+ske43zFoBItb6o8cnW2i8tE63mpR4B8YemKej9LhALh+T8H2gJCH mYV8PHyvPyw2Z9NrMAl8CJ91una8BMxuxnA7wAZiJKFdGU3MV1rLMy83VIok4ngi UQFsED5r3fY7rbz1lvGwnk6YWZMxaWcIDPzGJvJlFtIjUpnO8nEixr/Share0h/d 9Q9FTYFCkPGU892a8aiZ4AaK5rWYGVAyfnHbGRgMTYf4ba9NQQYc43v8a2xjgG3T r4uWuvEyTGdLHpN7vviNM7Qu2rLg2e5xrLOZ1OyglGH78HuVvypmjeKqyJ+dsMGq sWf7oUcnPOaR0r7Toi/EULnr9n+hyBO0stmohCDwnf4vOZcCwqwu3UqsqdRzotjD L9HSUNOemGMxOB2mZWycQJHC1QbSksOH+l1VsYsqcFHUHpcTnmc=
=mjpQ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.kernel, linux.debian.maint.boot

Hey Antonio,

On Wed, Jan 25, 2023 at 04:17:50PM -0300, Antonio Terceiro wrote:

On Wed, Jan 25, 2023 at 06:11:45PM +0000, Steve McIntyre wrote:

The MS and cert issues are now both resolved, and I'm now working on a
shim *15.7* upload. There's a little more work and testing to do, but
I'm not far off. Yay?

Have the issues with arm64 been fixed? Will this release provide a
signed arm64 shim?

We should have a signed shim for arm64, yes. I need to test end to end
again yet; I think we're still missing some arm64 SB patches for grub.

--
Steve McIntyre, Cambridge, UK. steve@einval.com “Rarely is anyone thanked for the work they did to prevent the
disaster that didn’t happen.”
-- Mikko Hypponen (https://twitter.com/mikko/)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi Jeremy,

On Wed, Jan 25, 2023 at 12:40:07PM -0700, Jeremy Hall wrote:

When things get built, will there be a path forward for people who
might need grub modules like serial console for accessibility reasons?

The serial module has already been added to the signed grub binary a
while back (2.06-4). If you need anything else, please ask or file
bugs.

In the longer term, some grub upstream developers are working on
adding support for signing grub modules individually that might make
it possible for people to add more themselves. But that's not going to
happen before bookworm.

HTH!

--
Steve McIntyre, Cambridge, UK. steve@einval.com “Why do people find DNS so difficult? It’s just cache invalidation and
naming things.”
-– Jeff Waugh (https://twitter.com/jdub)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)