Hey all! Here's a status update and plans for SB and shim. If any of this is unclear or you have doubts, please say!
We currently have *signed* shim *15.4* packages in the archive, for all of buster, bullseye, bookworm and sid. That works OK at the moment, but is getting old (July 2021) and needs updating soonish. I uploaded shim *15.6* in July 2022 and we attempted to get that signed too. Reviews were positive, but due to process problems around Microsoft uploads and then a long delay on getting a needed EV certificate renewed we never managed to get that signed. :-( The MS and cert issues are now both resolved, and I'm now working on a shim *15.7* upload. There's a little more work and testing to do, but I'm not far off. Yay? However, there are a couple of caveats to this... SBAT update ----------- The new shim build will need to block SB execution of older grub builds (anything with an SBAT level for grub.debian < 4). The oldest builds that will continue to work are: * 2.06-6 (unstable/bookworm) * 2.06-3~deb11u5 (bullseye) * 2.06-3~deb10u3 (buster) This is hopefully not unexpected, but I'm sharing here to be 100% clear. I'm planning on doing shim 15.7 builds for bullseye and buster again, so these all matter here. NX -- At the end of November 2022 (while unable to get anything signed) we passed a deadline; new shims since that point must be built with NX support enabled, and flagged as such. This extra hardening should improve security more, so it's not a bad thing in general. *However*, it does have consequences - once shim is loaded by UEFI firmware and started with NX enabled, all the UEFI binaries downstream of it *also* have to support NX as well. Patches for grub and linux are under discussion at the moment, but AFAIK not yet released; I need to check on the status of fwupd-efi too. What does this mean for us? * Older machines with older firmware will continue to work just fine. * New-enough machines with firmware that enables NX will fail to boot until we get full NX support through our boot chain. :-( There's a mitigating factor here: *such* new machines may already reject our older signed binaries anyway. We're stuck in a bad situation here I'm afraid; I think the only sensible way is forward, applying NX patches as soon as they're ready. Thoughts? -- Steve McIntyre, Cambridge, UK. st...@einval.com "Yes, of course duct tape works in a near-vacuum. Duct tape works anywhere. Duct tape is magic and should be worshipped." -― Andy Weir, "The Martian"
signature.asc
Description: PGP signature
