Tollef Fog Heen wrote:
>]] Hanno 'Rince' Wagner
>>
>> I am a very firm believer of giving people as much information as
>> possible while being responsible. Meaning, that I would love to have
>> that documentation - including a big warning sign which sais "if you
>> follow this path, you may bric
The Wanderer wrote:
>On 2022-04-26 at 10:14, Marc Haber wrote:
>
>> On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre
>> wrote:
>
>>> Alternatively, people can build replacement shim-signed packages
>>> using their own root of trust if desired. If we
The Wanderer wrote:
>On 2022-04-26 at 18:05, Paul Wise wrote:
>
>> On Tue, 2022-04-26 at 20:41 +0200, Bastian Blank wrote:
>>
>>> secure boot signing process at Microsoft is a review-sign process
>>
>> What kind of review are Microsoft doing of the Debian shim?
>>
>> Are they reviewing the sourc
]] The Wanderer
> I can't speak to how big of an advantage A is, but B seems to me to be
> pretty important.
It's a manual process that includes poking around in MS' partner portal,
USB HSMs stored in a safe place and rebooting to Windows, then checking
back days (and sometimes weeks) later to d
]] Hanno 'Rince' Wagner
> Hi everbody,
>
> On Sun, 24 Apr 2022, Tollef Fog Heen wrote:
>
> > I don't think we have docs for running with a different root of trust
> > than MS'. To be honest, I'm not sure we even _should_ have a lot of docs
> > around it, since the general brittleness of the boo
On 2022-04-26 at 18:05, Paul Wise wrote:
> On Tue, 2022-04-26 at 20:41 +0200, Bastian Blank wrote:
>
>> secure boot signing process at Microsoft is a review-sign process
>
> What kind of review are Microsoft doing of the Debian shim?
>
> Are they reviewing the source and checking for a reproduc
On 2022-04-26 at 10:14, Marc Haber wrote:
> On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre
> wrote:
>> Alternatively, people can build replacement shim-signed packages
>> using their own root of trust if desired. If we had a large enough
>> number of users wanting a
On Tue, 2022-04-26 at 20:41 +0200, Bastian Blank wrote:
> secure boot signing process at Microsoft is a review-sign process
What kind of review are Microsoft doing of the Debian shim?
Are they reviewing the source and checking for a reproducible build?
--
bye,
pabs
https://wiki.debian.org/Pau
ete docs!), but
> >I've certainly discussed this with a few folks over the years.
> It would be great to have that written down somewhere to tell poeple
> what they're actually doing.
Something like https://wiki.debian.org/SecureBoot?
> >Alternatively, people can build replace
Marc Haber wrote:
>On Sat, 23 Apr 2022 18:21:47 +0100, Steve McIntyre
>
>>Better than that, our shim-signed source package always double-checks
>>things here. At build time it removes the Microsoft signature and
>>compares that shim binary to the binary that we submitted
just the header
- the second change (~0x120) is the offset of the signature table in
the database (0xe1fe8) and its size.
- the third change (~0xe1fe0) is appending the signature
You can also extract the signature, attach the signature to the
unsigned file an
t would be great to have that written down somewhere to tell poeple
what they're actually doing.
>Alternatively, people can build replacement shim-signed packages using
>their own root of trust if desired. If we had a large enough number of
>users wanting a different root of trust,
On Sat, 23 Apr 2022 13:54:59 +0200, Ansgar wrote:
>On Sat, 2022-04-23 at 12:21 +0200, Marc Haber wrote:
>> >Is the presence of shim-signed on the install media enough to make
>> >people feel somehow contaminated?
>>
>> I think so, yes. Personally, I don't car
]] Marc Haber
> Excuse me for asking a user question on -devel, but do we have any
> docs where someone explains how much a security trade off is
> shim-signed relativ to the optimum? I think that using shim-signed is
> surely worse than a directly signed kernel, but I don't kno
On Sat, 2022-04-23 at 18:21 +0100, Steve McIntyre wrote:
> If you don't like the fact that Microsoft's keys are involved,
> it's possible on a lot of machines to enrol your own keys
On machines where this isn't possible in the UEFI firmware interface,
IIRC shim-signed i
I think we crossed that
>>line some time ago.
>>
>>I'm thinking of shim-signed, which is included in our official media.
>>
>>Despite being free software in source form, it is signed by Microsoft,
>>and can only be expected to work with that signature ... whic
On Sat, 2022-04-23 at 12:21 +0200, Marc Haber wrote:
> >Is the presence of shim-signed on the install media enough to make
> >people feel somehow contaminated?
>
> I think so, yes. Personally, I don't care too much but i can
> understand why some people might.
Why? B
ago.
>
>I'm thinking of shim-signed, which is included in our official media.
>
>Despite being free software in source form, it is signed by Microsoft,
>and can only be expected to work with that signature ... which we cannot
>create.
>
>On most (all?) hardware one is
18 matches
Mail list logo
