People from the FTP team, kernel team and DSA, as well as other interested individuals met in Fulda, Germany for a sprint with the goal of deciding and implementing the workflow for Secure Boot.
Participants ------------ * Ansgar Burchardt * Joerg Jaspert * Luke W. Faraone * Ben Hutchings * Tollef Fog Heen * Helen Koike * Philipp Hahn * Julien Cristau [remote] * Steve McIntyre [remote] We had a long discussion about what requirements we had for the signing process, whether that could happen inline in the regular build process, if a human needed to be involved in the signing and how to best handle embargoed builds. In the end, we decided to have a signing service which will construct a source package based on a "template" package and a list of files to sign and upload this to be processed by the normal buildd and dak processes. The signing service will also have an audit log which makes it public what was signed and when. Once this was agreed and various corner cases ironed out, we started implementing the signing service, and the necessary changes in the Linux kernel package, dak, fwupdate, shim and grub. The source for the signing service can be found at https://salsa.debian.org/ftp-team/code-signing. By the end of the sprint, we were able to: - generate a signing template for Linux kernel modules - generate a signing template for shim - generate a signing template for fwupdate - have DAK detect such signing template packages automatically and generate a request for signing - run the code of the signing box by hand to generate the source code packages containing the generated signatures We're still missing (partially or completely): - generate a signing template for GRUB2 - have DAK accept those generated source-only uploads Acknowledgements ------------------------- the sprint has been possible thanks to: - the Office Factory for hosting us, - donations to the Debian project for covering travel and accommodation costs for the sprint, - Dropbox for sponsoring Luke's travel and accomodations, - Technische Universität Dresden for sponsoring Ansgar's travel and accomodations, and - Univention GmbH for sponsoring Philipp's travel and accomodations, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
