Hi Dimitri! On 7/29/20 11:20 PM, Dimitri John Ledkov wrote: > Disclosures were done to a subset of binary distributions that have a > trust path to shims signed with Microsoft UEFI CA 2011 db key. Arch > Linux does not provide shim-signed with keys controlled by Arch Linux > and it doesn't provide pre-signed secureboot kernels. > > Reading Arch Linux documentation it seems that Fedora's shim is used > together with self-signed Mok Keys. > > Mitigation strategy for Arch Linux will then be quite different to > everyone else: > > 1) Update to new shim from fedora when available, as previous ones are > going to be revoked by the dbxupdate from uefi.org > 2) Patch Archlinux grub > 3) Patch Archilinux kernel for lockdown bypass > 4) Generate new MOK key, enroll it into MOK > 5) Sign patched grub/kernel with the new MOK key > 6) Provide instructions for users to revoke their old key via MOKX, > i.e. use mokutil --mokx --import existing cert; or for example delete > the old key from MOK with --delete old-cert.der > > This is just a rough guideline, please analyze how signing keys are > controlled and used on typical Arch Linux deployment and adjust things > to taste. > > The key point is to rotate the signing key used for > shim/grub/kernel/fwupd, only use the new key to sign fixed things, and > ensure that old key is no longer trusted (removed from MOK, or added > to MOKX).
Thanks for describing the detailed procedure, very informative. Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
