Re: UEFI Secure Boot changes in d-i and live images

To: Steve McIntyre <steve@einval.com>
Cc: debian-boot@lists.debian.org, debian-efi@lists.debian.org
Subject: Re: UEFI Secure Boot changes in d-i and live images
From: Cyril Brulebois <kibi@debian.org>
Date: Mon, 14 Jan 2019 02:34:12 +0100
Message-id: <[🔎] 20190114013412.x6v75yjpsrx26e45@mraw.org>
In-reply-to: <[🔎] 20190113192343.qg3ekmtnyepscwxb@tack.einval.com>
References: <[🔎] 20190113192343.qg3ekmtnyepscwxb@tack.einval.com>

Hi Steve,

Steve McIntyre <steve@einval.com> (2019-01-13):
> I've just pushed changes to a few bits of d-i this weekend to make SB
> work for amd64:

\o/

And thanks to everyone involved!

>  * build/util/efi-image:
> 
>    We can use pre-existing (and already signed) EFI binaries instead
>    of building a new monolithic image ourselves (which won't be
>    signed). We'll also need to install the shim-signed binary so that
>    it will be called first then can chain-load the grub binary.
>     
>    Tested and working for boot both via netinst image and network
>    boot for amd64 (signed) and i386 (non-signed). The netboot mini.iso
>    is also updated and will now work with SB on amd64.
> 
>    ***** This will want documentation updates. Most people won't
>          notice the change, *BUT* people using netboot on amd64 will
>          need to tftp-serve both shim (as bootnetx64.efi) and grub (as
>          grubx64.efi) where previously they just needed grub (as
>          bootnetx64.efi)

I think you might want to open a bug against di-netboot-assistant so
that support gets added there?

> The effect of these changes is that the next daily and weekly debian
> installer images (tomorrow) should Just Work (TM) end-to-end with UEFI
> Secure Boot. The changes to efi-image also mean that our next live
> image builds will do SB (for live and installation).
> 
> I'll test all these again in the next couple of days to verify that
> things have pulled through as I expect, then it's time to post to
> d-d-a and write a blog too. We've made great progress already. These
> last changes just tie it all together for end users.

FWIW, just learned from lurking on various channels that packages
needing a signature go through some kind of automated process but
ftpmasters still need to get poked when that happens. One might
see slight delays between e.g. a grub2 upload and its signed binaries
appearing on buildd.d.o, e.g.:

  https://buildd.debian.org/status/package.php?pkg=grub-efi-amd64-signed

(There's a JSON file published by dak so that the infrastructure
knows about the needed builds, but a button still needs a manual push
at the moment.)


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- UEFI Secure Boot changes in d-i and live images
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: [installation-guide] document Secure-Boot related bits in the d-i manual
Next by Date: Re: UEFI Secure Boot changes in d-i and live images
Previous by thread: [installation-guide] document Secure-Boot related bits in the d-i manual
Next by thread: Re: UEFI Secure Boot changes in d-i and live images
Index(es):
- Date
- Thread