[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#821053: UEFI Secure Boot support in d-i build

Control: reassign -1 grub-installer
Control: tag -1 patch

On Fri, 01 Jul 2016 23:15:07 +0200 Ben Hutchings <ben@decadent.org.uk> wrote:
> On Fri, 15 Apr 2016 01:04:15 +0100 Steve McIntyre <steve@einval.com>
> wrote:
> > Package: debian-installer
> > Severity: important
> > Control: block 820036 with -1
> >
> > Check what changes will be needed in the d-i build scripts to support
> > signed modules etc. for UEFI Secure Boot.
> 
> I think the answer is 'nothing at all', as udebs will be built with
> signed binaries and their names won't change.  This is implemented in
> linux-signed/experimental.

...but we do need to install grub-signed and shim-signed.  Here's a
patch based on what Ubuntu does, extended to cover arm64 and i386:

--- a/grub-installer
+++ b/grub-installer
@@ -319,7 +319,7 @@ experimental_arch () {
 
 case $ARCH in
     arm64/efi)
-	grub_package="grub-efi-arm64"
+	grub_package="grub-efi-arm64-signed"
 	;;
     armhf/efi)
 	grub_package="grub-efi-arm"
@@ -343,9 +343,9 @@ case $ARCH in
 		if [ -f /sys/firmware/efi/fw_platform_size ] ; then
 			SIZE=$(cat /sys/firmware/efi/fw_platform_size)
 			if [ $SIZE -eq 64 ] ; then
-				grub_package="grub-efi-amd64"
+				grub_package="grub-efi-amd64-signed"
 			elif [ $SIZE -eq 32 ] ; then
-				grub_package="grub-efi-ia32"
+				grub_package="grub-efi-ia32-signed"
 			fi
 		fi
 	fi
@@ -464,10 +464,10 @@ db_progress INFO grub-installer/progress/step_install
 # to grub legacy, or vice-versa
 case "$grub_package" in
     grub)
-	log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+	log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
 	;;
     grub-pc)
-	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
     ;;
     grub-efi*)
 	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-pc-bin grub-pc
@@ -487,6 +487,11 @@ case "$grub_package" in
    *)
 	# Will pull in os-prober based on global setting for Recommends
 	apt-install $grub_package || exit_code=$? 
+	case $grub_package in
+	    *-signed)
+		apt-install shim-signed || true
+		;;
+	esac
 	;;
 esac
 
--- END ---

Ben.

-- 
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.

Attachment: signature.asc
Description: Digital signature

Reply to: