Grub, UEFI Secure Boot and netboot - help!

To: debian-efi@lists.debian.org
Cc: debian-ia64@lists.debian.org, debian-boot@lists.debian.org
Subject: Grub, UEFI Secure Boot and netboot - help!
From: Steve McIntyre <steve@einval.com>
Date: Mon, 10 Jun 2019 03:37:41 +0100
Message-id: <[🔎] 20190610023741.GD6907@tack.einval.com>

Hey folks,

We have a bit of a problem with PXE booting Grub in Buster, as shown
in #928750:

 * On all supported arches, we *used* to generate a Grub netboot image
   inside d-i, with a prefix setting of
   "debian-installer/$arch/grub". The prefix is important, as it's how
   Grub finds its config file, modules etc that it loads. Things are
   still like this in Stretch.

 * In Buster, we can no longer do this on arches which support Secure
   Boot. To keep the SB signature, we now re-use the existing signed
   binaries that have come directly from the Grub build (and the
   Debian signing infrastructure). There's just one minor problem with
   this - this means that we're stuck with the hard-coded prefix baked
   into the grubnetXXX.efi binary. This is currently set to "/grub",
   and this means that to get a functional amd64 (say) PXE
   installation working the user has to add a "/grub" symlink on their
   TFTP server, something like:

     /grub -> /debian-installer/amd64/grub

   (assuming that /debian-installer is the root of the netboot tree).

I can see a couple of options here, but I'm not sure either of them
are good. Comments would be most welcome!

  1. Update the docs to mention this - this is a new thing needed to
     get netboot working with Buster. It's *currently* inconsistent,
     as ia64 and armhf (as non-SB arches) are still using the old
     prefix setting. For the sake of consistency (in docs etc.), I
     propose to also update the d-i build for those arches to use the
     same prefix. But I acknowledge that will break existing
     setups. :-(

  2. Alternatively, we could tweak the netboot prefix setting as built
     by grub. I'm worried that this may also break things for some
     users. Do we assume (can we?) that all our grub netboot users are
     installer users (so we could use /debian-installer/$ARCH/grub)?
     If so, that might be a way to go. But is it a valid assumption?
     We'd be forcing all our grub netboot binaries to only sensibly
     work for d-i, and that worries me too.

Any other suggestions on what we could do? Let me know what you
think...

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"The problem with defending the purity of the English language is that
 English is about as pure as a cribhouse whore. We don't just borrow words; on
 occasion, English has pursued other languages down alleyways to beat them
 unconscious and rifle their pockets for new vocabulary."  -- James D. Nicoll

Reply to:

Follow-Ups:
- Re: Grub, UEFI Secure Boot and netboot - help!
  - From: Domenico Andreoli <cavok@debian.org>
- Re: Grub, UEFI Secure Boot and netboot - help!
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: Grub, UEFI Secure Boot and netboot - help!
  - From: Ian Campbell <ijc@debian.org>

Prev by Date: Processed: severity of 930228 is minor, severity of 930229 is minor
Next by Date: Re: Grub, UEFI Secure Boot and netboot - help!
Previous by thread: Processed: severity of 930228 is minor, severity of 930229 is minor
Next by thread: Re: Grub, UEFI Secure Boot and netboot - help!
Index(es):
- Date
- Thread