Debian UEFI Secure Boot changes!

Steve McIntyre has posted an update on Debian’s UEFI Secure Boot status, to the debian-boot and debian-efi mailing lists. Excerpt:

I’ve just pushed changes to a few bits of d-i this weekend to make SB work for amd64:

* build/util/efi-image: […]
* build/config/arm.cfg, build/config/x86.cfg: […]
* debian/control: […]
* grub-installer/grub-installer: […]

The effect of these changes is that the next daily and weekly debian installer images (tomorrow) should Just Work (TM) end-to-end with UEFI Secure Boot. The changes to efi-image also mean that our next live image builds will do SB (for live and installation).

I’ll test all these again in the next couple of days to verify that things have pulled through as I expect, then it’s time to post to d-d-a and write a blog too. We’ve made great progress already. These last changes just tie it all together for end users.

More info:

https://lists.debian.org/msgid-search/20190113192343.qg3ekmtnyepscwxb@tack.einval.com

Debian UEFI Secure Boot report from DebConf

DebConf, the Debian conference is happening, and there’s a EFI Secure Boot talk. Slides are listed on the debian-efi list below:

https://lists.debian.org/debian-efi/2018/07/msg00015.html

https://meetings-archive.debian.net/pub/debian-meetings/2018/DebConf18/?

 

Pyra (Debian-based gaming console) needs kernel ARM/OMAP experts

Pyra needs help by kernel and low-level ARM/OMAP experts

W. Martin Borgert posted a message to the Debian kernel/ARM lists, about soliciting kernel dev help for a Debian-based gaming console, successor to OpenPandora.

Borgert quote:

I just read this post by Pyra project leader Michael Mrozek a.k.a. “Evil Dragon”. (Pyra is planned to be a Debian based gaming console, successor of OpenPandora.) They need help by kernel devs and folks who know OMAP etc. Maybe somebody here can help them? There even might be some money in it. No doubt about fame and fun, though!

Evil Dragon quote:

[…]This brings up another important point: Kernel developers! There’s still quite a few things which should be done before the release. We don’t have proper powersaving, the TILER implementation needs to be tidied up, 3D is not yet implemented, Audio needs a better setup, etc. It seems there are less and less kernel developers having the time to work on such things in their spare time. That’s why I decided to hire freelancers to help out as well![…]I know we’ve got quite a lot of OpenSource fans around here. Maybe some know some good kernel developers, who are able to include and improve hardware support and fix various issues. We can provide a test unit as well as the needed datasheets – but it needs someone who is capable of debugging and fixing low-level things.[…]

https://pyra-handheld.com/boards/threads/moving-along.82982/
https://pyra-handheld.com/

 

seL ported to RISC-V

seL, in addition to Intel and ARM, now supports RISC-V!

https://github.com/seL4/seL4/tree/master/include/arch/riscv/arch
https://sel4.systems/pipermail/devel/2018-April/001928.html
https://docs.sel4.systems/Hardware/RISCV
https://sel4.systems/About/seL4/
https://riscv.org/

 

PS: seL is not the only OS porting to RISC-V, here’s the Debian port:
https://groups.google.com/a/groups.riscv.org/forum/#!topic/sw-dev/u4VcUtB9r94

PS: RISC-V is getting active, and has had lots of newsworthy events that I’ve not covered:
https://riscv.org/news/

Embedded Linux Japan Technical Jamboree 63 slides/videos uploaded

Status of Embedded Linux, Tim Bird
Review of ELC Europe 2017, Tim Bird
mplementing state-of-the-art U-Boot port, 2017 edition, by Marek Vasut
Linux カーネルのメモリ管理の闇をめぐる戦い(協力者募集中, Tetsuo Handa (NTT Data)
Request for your suggestions: How to Protect Data in eMMC on Embedded Devices, Gou Nakatsuka (Daikin)
Fuego Status and Roadmap, Tim Bird
Multicast Video-Streaming on Embedded Linux environment, Daichi Fukui (TOSHIBA)
From 1 to many Implementing SMP on OpenRISC, Stafford Horne
Core Partitioning Technique on Multicore Linux systems, Kouta Okamoto (TOSHIBA)
Debian + YoctoProject Based Projects: Collaboration Status, Kazuhiro Hayashi (TOSHIBA)

https://elinux.org/Japan_Technical_Jamboree_63#Agenda

See-also: Septemer 2017 Jamboree 62:

Status of Embedded Linux, Tim Bird
EdgeX Foundry: Introduction and demonstration of end to end IoT system, Victor Duan, Linaro
Lighting Talk: Integration between GitLab and Fuego, Tomohito Esaki, IGEL Co., Ltd.
DebConf17 Report, Kazuhiro Hayashi, TOSHIBA
Lightning Talk : About the LTS now, Shinsuke kato, Panasonic Corporation
Kernel Recipes 2015 – Linux Stable Release process, Greg KH
Lightning Talk: IPv6 Ready Logo Test for LTSI 4.9 and introduction about CVE-2016-5863 and CVE-2017-11164, Fan Xin, Fujitsu Computer Technologies Limited

https://elinux.org/Japan_Technical_Jamboree_62#Agenda

Debsources: browse/search sources of all Debian releases

Matthieu Caneill of Debian announced Debsources. Excerpt of announcement below, for full announcement, see the debian-devel-announce mailing list archives.

https://twitter.com/zacchiro/status/938327579135807488

Announcing sources.debian.org

We’re happy to announce that Debsources, the Web application that allows to browse and search the entire source code of all Debian releases, is now hosted on the official Debian infrastructure and available at https://sources.debian.org . You may already know this service as previously hosted at sources.debian.net . We took the move to Debian hardware as the opportunity to officially announce it here.[…]

https://sources.debian.org
https://codesearch.debian.net/search?q=firmware
https://codesearch.debian.net/search?q=UEFI
https://codesearch.debian.net/search?q=coreboot

Hmm, “EFI” does not work as a search string, and there are Linux-centric UEFI commands that only use “EFI”, not “UEFI”…

PureOS joins Debian derivatives census

PureOS is the Debian-based Linux distribution by Purism for their laptops.  Jonas Smedegaard has apparently joined Purism to help with PureOS:

“I am long time Debian developer with a special interest in Pure Blends (a.k.a. friendly assimilation of derivatives into Debian). Since about a month ago I am hired by Purism to help develop PureOS – a Debian derivative for which I will act as Derivatives Census contact.”

https://wiki.debian.org/Derivatives/Census/PureOS

Hector Oron of Debian, who invited PureOS into the Debian Derivative census, made a few interesting initial comments evaluating PureOS, some things that need I hope Purism addresses:

“The page says that PureOS modifies Debian binary packages. It is quite rare that distributions modify Debian binary packages instead of modifying source packages and rebuilding them. Does PureOS actually do this? If so could you describe what kind of modifications you are making? If not I guess the page needs to be fixed. The apt repository for PureOS does not contain source packages [for the contrib and non-free section], including for packages licensed under the GNU GPL. This may or may not be a copyright violation depending on whether or not you distribute those elsewhere. In any case, please add source packages to your repository so that Debian can automatically create patches to be presented to Debian package maintainers.”

For more info, read the thread on the debian-derivatives@lists.debian.org mailing list.

https://puri.sm/?s=Debian

Hardened Linux: coreboot and CHIPSEC

A bit more information on Hardened Linux’s use of CHIPSEC, in this case coreboot-centric:

https://firmwaresecurity.com/2017/07/31/hardened-linux-using-chipsec/

“# Enabling some security features at runtime in case of which vendor provided implementation improperly.”

https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/scripts/harbian_fw/fw_hardening_runtime.py

There aren’t many CHIPSEC-based codebases, Hardened Linux is one relatively new one.

Debian 9 “Stretch” released

Excerpts of announcement included below. For full announcement, see the debian-announce mailing list archives.

 After 26 months of development the Debian project is proud to present its new stable version 9 (code name “Stretch”), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and of the Debian Long Term Support team. Debian 9 is dedicated to the project’s founder Ian Murdock, who passed away on 28 December 2015.

The UEFI (“Unified Extensible Firmware Interface”) support first introduced in “Wheezy” continues to be greatly improved in “Stretch”, and also supports installing on 32-bit UEFI firmware with a 64-bit kernel. The Debian live images now include support for UEFI booting as a new feature, too.

A total of ten architectures are supported: 64-bit PC / Intel EM64T / x86-64 (amd64), 32-bit PC / Intel IA-32 (i386), 64-bit little-endian Motorola/IBM PowerPC (ppc64el), 64-bit IBM S/390 (s390x), for ARM, armel and armhf for older and more recent 32-bit hardware, plus arm64 for the 64-bit “AArch64” architecture, and for MIPS, in addition to the two 32-bit mips (big-endian) and mipsel (little-endian), there is a new mips64el architecture for 64-bit little-endian hardware. Support for 32- bit Motorola/IBM PowerPC (powerpc) has been removed in “Stretch”.

https://www.debian.org/News/2017/20170617
http://ftp.debian.org/debian/doc/dedication/dedication-9.0.txt
https://www.debian.org/releases/stretch/installmanual
https://www.debian.org/releases/stretch/releasenotes

 

Secure Boot BOF at DebConf17

Helen Koike of Collabora has proposed a BOF on UEFI Secure Boot at DebConf17, this August:

DebConf17 – BoF proposal to discuss secure boot
I want to send a BoF proposal to DebConf17 so we can meet there and discuss about secure boot. I would like to know if you are interested in attending and also which topics you suggest for discussion. I would appreciate if you could put your name and suggestions in this form in case you are interested https://goo.gl/forms/lHoEibY1H6FmSHSJ2 , or just reply to this email thread.

For full message, see the debian-efi mailing list archives.

https://lists.debian.org/debian-efi/2017/05/threads.html

https://docs.google.com/forms/d/e/1FAIpQLSdtHYNy9212iXP26tkjbb6XvgVSMjJzn2DYoAilFT1l89vemw/viewform?c=0&w=1

https://debconf17.debconf.org/

 

 

Debian Live images now include UEFI support

Steve McIntyre gave an update on Debian official images to the debian-(cd, devel-announce,live,cloud) mailing lists. There’s a UEFI update on Debian Live images:
Live images – now including UEFI support

After a hiatus, weekly builds of live images for testing are now happening again. These cover amd64 and i386, and there is a separate image for each of the common desktop environments. Thanks to great work by Neil Williams, Iain Learmonth and Ana Custura on new tools (vmdebootstrap and live-wraper), these also include support for UEFI booting as a new feature. Please help test the images and give feedback:

http://get.debian.org/cdimage/weekly-live-builds/

See Steve’s message to the above-listed lists for the full post.

https://lists.debian.org/msgid-search/20170428012707.GJ28360@einval.com

Debian 9 defers UEFI Secure Boot support

From the latest “Bits from the Release Team” message, it appears that Debian 9 will probably defer Secure Boot support to later.

Secure Boot
At a recent team meeting, we decided that support for Secure Boot in the forthcoming Debian 9 “stretch” would no longer be a blocker to release. The likely, although not certain outcome is that stretch will not have Secure Boot support. We appreciate that this will be a disappointment to many users and developers. However, we need to balance that with the limited time available for the volunteer teams working on this feature, and the risk of bugs being introduced through rushed development. It’s possible that Secure Boot support could be introduced at some point in stretch’s lifetime.

Full message:
https://lists.debian.org/debian-devel-announce/2017/04/msg00013.html
https://wiki.debian.org/SecureBoot
https://wiki.debian.org/UEFI

Rescatux adds new UEFI rescue options

Adrian announced Rescatux 0.41b, with new UEFI rescue options:
(*) Change UEFI Boot order
(*) Create UEFI Boot Entry
(*) Fake Microsoft Windows UEFI.
(*) Hide Microsoft Windows UEFI
(*) Reinstall Microsoft Windows UEFI boot entries

Adrian has a thread on the debian-efi list, asking for feedback on these features. Excerpt of announcement below, see the full announcement on the debian-efi list.

Rescatux 0.41b1 released with UEFI rescue options

* Rescatux introduction
Rescatux is a GNU/Linux rescue cd (and eventually also Windows) but it is not like other rescue disks. Rescatux comes with Rescapp. Rescapp is a nice wizard that will guide you through your rescue tasks.[…]
* Rescatux 0.41b1 released
Last week I released Rescatux 0.41b1 with a bunch of new UEFI rescue options. I just wanted to share with you some technical details about those options so that I can get some feedback from you.[…]

http://www.supergrubdisk.org/rescatux/

http://wiki.rescatux.org/wiki/Main_Page

ALT Linux Rescue also has the option to boot either into their Linux or into their provided UEFI Shell. I wish more Linux distirbutions provided features like this.

Debian signed Shim

Secure Boot chain-loading bootloader (Microsoft-signed binary)

This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA. This package contains the version of the bootloader binary signed by the Microsoft UEFI CA.

https://packages.debian.org/sid/main/shim-signed

https://wiki.debian.org/SecureBoot