The Wanderer wrote: >On 2022-04-26 at 18:05, Paul Wise wrote: > >> On Tue, 2022-04-26 at 20:41 +0200, Bastian Blank wrote: >> >>> secure boot signing process at Microsoft is a review-sign process >> >> What kind of review are Microsoft doing of the Debian shim? >> >> Are they reviewing the source and checking for a reproducible build? > >I'd be curious to have a more in-depth answer to this, myself. > >My understanding has always been that they check to make sure that what >they're signing is not visibly malicious, and in most cases also that it >can't chain to load something else (which isn't signed, and might be >malicious). Since the entire purpose of the shim - at least as I >understand it - is to chain to load something else, clearly either that >understanding is not correct, or they're making an exception for the >case of the shim.
Microsoft themselves *don't* do direct code review of the shim submissions; they acknowledged some time ago that they didn't have direct knowledge good enough to make this sensible. Instead, there is a team of trusted distro maintainers who have stepped up to revies submissions. See * https://github.com/rhboot/shim-review * https://github.com/rhboot/shim/wiki for more information about what we look for. Every single patch that's applied to a signed shim will be reviewed by the community, and we also want to see what patches people have aplied to Grub, Linux, etc. too. We need a reproducible build for shim so that we can check that the shipped binary for signing matches what we can rebuild ourselves. -- Steve McIntyre, Cambridge, UK. st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
