-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 pjones' statement about Secure Boot on 2024-12-02: I'm involved in Secure Boot signing in various distros in several ways. I wrote and maintain pesign ( https://github.com/rhinstaller/pesign ), which is used for signing EFI binaries, and I'm one of the upstream maintainers of shim ( https://github.com/rhinstaller/shim ), which most Linux distros use to transition from the firmware's security domain to the kernel's. I'm also responsible for Fedora and RHEL's builds of pesign, shim, and grub2. I'm not responsible for the kernels for RHEL or Fedora, nor for determining which of them finally get signed for Secure Boot. I have been responsible for generating keys for signing Fedora's binaries. As the guy who gets shim signed for Fedora: At no point have I been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in Fedora's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any time been approached about disclosure of our signing keys, except by one lazy troll on the internet. I am also not aware of anyone else involved in our signing that has been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in Fedora's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor am I aware of any other involved party having at any time been approached about disclosure of our signing keys. As the guy who gets shim signed for RHEL: At no point have I been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in RHEL's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any time been approached about disclosure of our signing keys. I am also not aware of anyone else involved in our signing that has been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in RHEL's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor am I aware of any other involved party having at any time been approached about disclosure of our signing keys. As a person involved in CentOS implementation in an advisory role: I am not aware of anyone else involved in our signing that has been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in CentOS's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor am I aware of any other involved party having at any time been approached about disclosure of CentOS's signing keys. As the guy who gets shim signed for CentOS: At no point have I been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in RHEL's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any time been approached about disclosure of our signing keys. I am also not aware of anyone else involved in our signing that has been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in CentOS 7's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor am I aware of any other involved party having at any time been approached about disclosure of our signing keys. As the upstream maintainer of pesign and an upstream maintainer of shim: At no point have I been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor into either shim or pesign. I am also unaware of any other contributor to shim or pesign having been contacted with warrants of of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor into either shim or pesign. November 2017 update: One rando from the internet has sent me an email to tell me that I should "consider myself approached" regarding the Fedora signing keys. Here's what the guy with way too much time on his hands said: - ------------------------------------------------------------------------------ Date: Tue, 31 Oct 2017 14:46:07 -0400 From: Eduardo Gines Subject: Fedora SecureBoot signing keys Hey Peter, I'd like you to share with me key used for signing shim in Fedora Project Linux. Consider yourself approached. AdiĆ³s, Eduardo - ------------------------------------------------------------------------------ Just so we're clear, I don't consider a lazy email to be the sort of contact we're talking about here. So while I've changed the language on the Fedora section above to reflect that I have, in fact, been contacted in /some/ way by a non-governmental entity, in the future if this is the amount of effort you put into this, I'm just going to mark it spam. Congratulations, you found a new way to be bad for the world, and it's mostly just tedious. Most people just stick to the old ways. September 2018 update: Changed some CentOS stuff around to better reflect the current division of labor. March 2021 update: There's been some discussion about some documents published by the National Security Agency[0]. In these, they discuss deployment strategies and customizations regarding UEFI and Secure Boot. [0] Here: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-uefi-lockdown.pdf https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/BootSecurityModesAndRec_20190522.pdf https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance/blob/master/secureboot/Linux.md -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEAgk+DRnd4Pff+7U8H9P1QCVqE3IFAmdNyW0SHHBqb25lc0By ZWRoYXQuY29tAAoJEB/T9UAlahNy2fEP/11EiGNnvDkgHJrqyrWHnxE+KqYF7dWw UbjSoXrkI4ZjwSy3ngnvBb2wMMb71DjDgUHFa9QllhTt/A5CHqQT8KFvcy1NFMGw AgtDNP/HhuHNGUaescyeAx8qLURenmBqbruiAPXLUu3fdkMGSMlcOcKGFJNCrot+ p1Tm0ycmqP7T0jsb9vbmkysuae3dmSbUmY3PPxIPqToybK3km2Mg0MB30JHk8TMP rB01imTiLhdUhBZsB9OqlqHJ0UDINEe1VzejyIkCfC2AsuHzyN2zic3Y09ajnLrA EAnOeZcXYEpNOYfTslJxWUB/3Qb+bHv/UcEbS6Af9EvvfE+01Zy0hdeNSyIESbrZ Dl8wpeu/TQj7uqSvRICGb5suu1d+evO/1MVFkYs75MR9QQMDtIphmujaPGT/XnOs 1PJvLqLMl6jnpOmo4LL2IL8vbjoQC6Ud1lpp43djrHWuWadKEfm5/Tbq7UFjTUNi zBpOhk+1Ks6Hfg4Xt7IdTjYoKOAPnoWlLfsfIxtUR7b1PUA6PsPbUGdiA+c2ot+X 9/S+cPqy4xyho3FeCXSYGwn/LBq27X/pIVX22B2J0kBVq9jI6priSFKJufifxzyN 8kiDimRu02Vo1vKvBNsURBSLsEHBLTAeyM5eacbdYZI6cLG7Oxqt6pddgs0WSu1K KAPn0whov7ij =pPVq -----END PGP SIGNATURE-----