Grub, UEFI Secure Boot and netboot - help!
Hey folks,
We have a bit of a problem with PXE booting Grub in Buster, as shown
in #928750:
* On all supported arches, we *used* to generate a Grub netboot image
inside d-i, with a prefix setting of
"debian-installer/$arch/grub". The prefix is important, as it's how
Grub finds its config file, modules etc that it loads. Things are
still like this in Stretch.
* In Buster, we can no longer do this on arches which support Secure
Boot. To keep the SB signature, we now re-use the existing signed
binaries that have come directly from the Grub build (and the
Debian signing infrastructure). There's just one minor problem with
this - this means that we're stuck with the hard-coded prefix baked
into the grubnetXXX.efi binary. This is currently set to "/grub",
and this means that to get a functional amd64 (say) PXE
installation working the user has to add a "/grub" symlink on their
TFTP server, something like:
/grub -> /debian-installer/amd64/grub
(assuming that /debian-installer is the root of the netboot tree).
I can see a couple of options here, but I'm not sure either of them
are good. Comments would be most welcome!
1. Update the docs to mention this - this is a new thing needed to
get netboot working with Buster. It's *currently* inconsistent,
as ia64 and armhf (as non-SB arches) are still using the old
prefix setting. For the sake of consistency (in docs etc.), I
propose to also update the d-i build for those arches to use the
same prefix. But I acknowledge that will break existing
setups. :-(
2. Alternatively, we could tweak the netboot prefix setting as built
by grub. I'm worried that this may also break things for some
users. Do we assume (can we?) that all our grub netboot users are
installer users (so we could use /debian-installer/$ARCH/grub)?
If so, that might be a way to go. But is it a valid assumption?
We'd be forcing all our grub netboot binaries to only sensibly
work for d-i, and that worries me too.
Any other suggestions on what we could do? Let me know what you
think...
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"The problem with defending the purity of the English language is that
English is about as pure as a cribhouse whore. We don't just borrow words; on
occasion, English has pursued other languages down alleyways to beat them
unconscious and rifle their pockets for new vocabulary." -- James D. Nicoll
Reply to: