Hi Steve, Steve McIntyre <steve@einval.com> (2019-01-13): > I've just pushed changes to a few bits of d-i this weekend to make SB > work for amd64: \o/ And thanks to everyone involved! > * build/util/efi-image: > > We can use pre-existing (and already signed) EFI binaries instead > of building a new monolithic image ourselves (which won't be > signed). We'll also need to install the shim-signed binary so that > it will be called first then can chain-load the grub binary. > > Tested and working for boot both via netinst image and network > boot for amd64 (signed) and i386 (non-signed). The netboot mini.iso > is also updated and will now work with SB on amd64. > > ***** This will want documentation updates. Most people won't > notice the change, *BUT* people using netboot on amd64 will > need to tftp-serve both shim (as bootnetx64.efi) and grub (as > grubx64.efi) where previously they just needed grub (as > bootnetx64.efi) I think you might want to open a bug against di-netboot-assistant so that support gets added there? > The effect of these changes is that the next daily and weekly debian > installer images (tomorrow) should Just Work (TM) end-to-end with UEFI > Secure Boot. The changes to efi-image also mean that our next live > image builds will do SB (for live and installation). > > I'll test all these again in the next couple of days to verify that > things have pulled through as I expect, then it's time to post to > d-d-a and write a blog too. We've made great progress already. These > last changes just tie it all together for end users. FWIW, just learned from lurking on various channels that packages needing a signature go through some kind of automated process but ftpmasters still need to get poked when that happens. One might see slight delays between e.g. a grub2 upload and its signed binaries appearing on buildd.d.o, e.g.: https://buildd.debian.org/status/package.php?pkg=grub-efi-amd64-signed (There's a JSON file published by dak so that the infrastructure knows about the needed builds, but a button still needs a manual push at the moment.) Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature