[personal profile] mjg59
Shim has been hugely successful, to the point of being used by the majority of significant Linux distributions and many other third party products (even, apparently, Solaris). The aim was to ensure that it would remain possible to install free operating systems on UEFI Secure Boot platforms while still allowing machine owners to replace their bootloaders and kernels, and it's achieved this goal.

However, a legitimate criticism has been that there's very little transparency in Microsoft's signing process. Some people have waited for significant periods of time before being receiving a response. A large part of this is simply that demand has been greater than expected, and Microsoft aren't in the best position to review code that they didn't write in the first place.

To that end, we're adopting a new model. A mailing list has been created at shim-review@lists.freedesktop.org, and members of this list will review submissions and provide a recommendation to Microsoft on whether these should be signed or not. The current set of expectations around binaries to be signed documented here and the current process here - it is expected that this will evolve slightly as we get used to the process, and we'll provide a more formal set of documentation once things have settled down.

This is a new initiative and one that will probably take a little while to get working smoothly, but we hope it'll make it much easier to get signed releases of Shim out without compromising security in the process.

ARM build restriction

Date: 2017-03-22 04:53 am (UTC)
From: (Anonymous)
What's the story behind the ARM build restriction?

Re: ARM build restriction

Date: 2017-03-22 01:13 pm (UTC)
From: [identity profile] pjones.id.fedoraproject.org
https://msdn.microsoft.com/windows/hardware/commercialize/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby ("System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby" if that link is weird for you like it is for me) #6 and #13 are problematic for shipping signed GPL programs.

Date: 2017-03-23 07:35 pm (UTC)
From: [identity profile] bgilbert.id.fedoraproject.org
Does this process replace the current mechanism and requirements for submitting shim binaries to be signed (e.g. https://blogs.msdn.microsoft.com/windows_hardware_certification/2013/12/03/microsoft-uefi-ca-signing-policy-updates), or is it intended to supplement them?


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Member of the Free Software Foundation board of directors. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags