Bug#954856: marked as done (Please add option to install signed grub bootloader)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 28 Mar 2020 22:47:33 +0000
with message-id <20200328224733.GL5285@tack.einval.com>
and subject line Re: Bug#954856: Please add option to install signed grub bootloader
has caused the Debian Bug report #954856,
regarding Please add option to install signed grub bootloader
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
954856: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954856
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Please add option to install signed grub bootloader
• From: Bernhard <bewoern1@gmail.com>
• Date: Tue, 24 Mar 2020 15:14:11 +0100
• Message-id: <[🔎] 050ece2c9546d325d7760f1a92af13e6fe0f2452.camel@gmail.com>

Package: installation-reports

Boot method: PXE Network with Grub/UEFI
Image version: Debian 10.3
Date: 2020-03-20

Machine: Asus Zenbook Pro UX501J
Processor: Intel(R) Core(TM) i7-4720HQ CPU @ 2.60GHz
Memory: 16GB
Partitions:

> Dateisystem    Typ      1K-Blöcke Benutzt Verfügbar Verw% Eingehängt auf
> udev           devtmpfs   8139352       0   8139352    0% /dev
> tmpfs          tmpfs      1631284   17348   1613936    2% /run
> /dev/sda2      ext4     105628416 7667172  92552580    8% /
> tmpfs          tmpfs      8156412   12252   8144160    1% /dev/shm
> tmpfs          tmpfs         5120       4      5116    1% /run/lock
> tmpfs          tmpfs      8156412       0   8156412    0% /sys/fs/cgroup
> /dev/sda1      vfat        523248    3852    519396    1% /boot/efi
> tmpfs          tmpfs      1631280      44   1631236    1% /run/user/1000

Output of lspci -knn:

> 00:00.0 Host bridge [0600]: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor DRAM Controller [8086:0c04] (rev 06)
> 	Subsystem: ASUSTeK Computer Inc. Xeon E3-1200 v3/4th Gen Core Processor DRAM Controller [1043:18dd]
> 	Kernel modules: ie31200_edac
> 00:01.0 PCI bridge [0604]: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor PCI Express x16 Controller [8086:0c01] (rev 06)
> 	Kernel driver in use: pcieport
> 00:02.0 VGA compatible controller [0300]: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller [8086:0416] (rev 06)
> 	Subsystem: ASUSTeK Computer Inc. 4th Gen Core Processor Integrated Graphics Controller [1043:18dd]
> 	Kernel driver in use: i915
> 	Kernel modules: i915
> 00:03.0 Audio device [0403]: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller [8086:0c0c] (rev 06)
> 	Subsystem: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller [8086:2010]
> 	Kernel driver in use: snd_hda_intel
> 	Kernel modules: snd_hda_intel
> 00:14.0 USB controller [0c03]: Intel Corporation 8 Series/C220 Series Chipset Family USB xHCI [8086:8c31] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset Family USB xHCI [1043:18dd]
> 	Kernel driver in use: xhci_hcd
> 	Kernel modules: xhci_pci
> 00:16.0 Communication controller [0780]: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 [8086:8c3a] (rev 04)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset Family MEI Controller [1043:18dd]
> 	Kernel driver in use: mei_me
> 	Kernel modules: mei_me
> 00:1a.0 USB controller [0c03]: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #2 [8086:8c2d] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset Family USB EHCI [1043:18dd]
> 	Kernel driver in use: ehci-pci
> 	Kernel modules: ehci_pci
> 00:1b.0 Audio device [0403]: Intel Corporation 8 Series/C220 Series Chipset High Definition Audio Controller [8086:8c20] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset High Definition Audio Controller [1043:18dd]
> 	Kernel driver in use: snd_hda_intel
> 	Kernel modules: snd_hda_intel
> 00:1c.0 PCI bridge [0604]: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #1 [8086:8c10] (rev d5)
> 	Kernel driver in use: pcieport
> 00:1c.2 PCI bridge [0604]: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #3 [8086:8c14] (rev d5)
> 	Kernel driver in use: pcieport
> 00:1c.3 PCI bridge [0604]: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #4 [8086:8c16] (rev d5)
> 	Kernel driver in use: pcieport
> 00:1d.0 USB controller [0c03]: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #1 [8086:8c26] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset Family USB EHCI [1043:18dd]
> 	Kernel driver in use: ehci-pci
> 	Kernel modules: ehci_pci
> 00:1f.0 ISA bridge [0601]: Intel Corporation HM87 Express LPC Controller [8086:8c4b] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. HM87 Express LPC Controller [1043:18dd]
> 	Kernel driver in use: lpc_ich
> 	Kernel modules: lpc_ich
> 00:1f.2 SATA controller [0106]: Intel Corporation 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode] [8086:8c03] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode] [1043:18dd]
> 	Kernel driver in use: ahci
> 	Kernel modules: ahci
> 00:1f.3 SMBus [0c05]: Intel Corporation 8 Series/C220 Series Chipset Family SMBus Controller [8086:8c22] (rev 05)
> 	Subsystem: ASUSTeK Computer Inc. 8 Series/C220 Series Chipset Family SMBus Controller [1043:18dd]
> 	Kernel driver in use: i801_smbus
> 	Kernel modules: i2c_i801
> 01:00.0 3D controller [0302]: NVIDIA Corporation GM107M [GeForce GTX 960M] [10de:139b] (rev a2)
> 	Subsystem: ASUSTeK Computer Inc. GM107M [GeForce GTX 960M] [1043:18dd]
> 	Kernel driver in use: nouveau
> 	Kernel modules: nouveau
> 3b:00.0 Network controller [0280]: Intel Corporation Wireless 7260 [8086:08b1] (rev bb)
> 	Subsystem: Intel Corporation Dual Band Wireless-AC 7260 [8086:4170]
> 	Kernel driver in use: iwlwifi
> 	Kernel modules: iwlwifi
> 3c:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS5227 PCI Express Card Reader [10ec:5227] (rev 01)
> 	Subsystem: ASUSTeK Computer Inc. RTS5227 PCI Express Card Reader [1043:18dd]
> 	Kernel driver in use: rtsx_pci
> 	Kernel modules: rtsx_pci

Base System Installation Checklist:
[O] = OK, [E] = Error (please elaborate below), [ ] = didn't try it

Initial boot:           [O]
Detect network card:    [O]
Configure network:      [O]
Detect media:           [O]
Load installer modules: [O]
Detect hard drives:     [O]
Partition hard drives:  [O]
Install base system:    [O]
Clock/timezone setup:   [O]
User/password setup:    [O]
Install tasks:          [O]
Install boot loader:    [O]
Overall install:        [O]

Comments/Problems:

After installation in UEFI mode, everything works fine.
No problems detected.

One wish regarding GRUB Bootloader:

Here, my preseed-file for installing GRUB:

> # ==============
> # GRUB-Installer
> # ==============
> 
> # Bootloader
> d-i grub-installer/only_debian   boolean true
> d-i grub-installer/with_other_os boolean true
> 
> # Install GRUB Bootloader to /dev/sda
> d-i grub-installer/bootdev string /dev/sda

If possible, please add an option for preseed-file to decide for install signed or unsigned GRUB installer.
This is for Secure Boot.

Currently, the signed GRUB Bootloader is not installed on my system, because the recommended packages are not installed:
> d-i base-installer/install-recommends boolean false

Thank you for the great work.

Best regards
Bernhard

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 954856-done@bugs.debian.org
• Cc: Bernhard <bewoern1@gmail.com>
• Subject: Re: Bug#954856: Please add option to install signed grub bootloader
• From: Steve McIntyre <steve@einval.com>
• Date: Sat, 28 Mar 2020 22:47:33 +0000
• Message-id: <20200328224733.GL5285@tack.einval.com>
• In-reply-to: <[🔎] 20200328215018.ixe5joc4brmlmcvo@mraw.org>
• References: <[🔎] 050ece2c9546d325d7760f1a92af13e6fe0f2452.camel@gmail.com> <[🔎] 20200328172352.hguy23xgquthbhvs@mraw.org> <[🔎] d4c4b8df6be1550270a993ce494c9bb63859ee83.camel@gmail.com> <[🔎] 20200328205155.qkokotfhegnjet6i@mraw.org> <[🔎] 91e58707a8f017a1c57cf6dfd040be3577e9f132.camel@gmail.com> <[🔎] 050ece2c9546d325d7760f1a92af13e6fe0f2452.camel@gmail.com> <[🔎] 20200328215018.ixe5joc4brmlmcvo@mraw.org>

On Sat, Mar 28, 2020 at 10:50:18PM +0100, Cyril Brulebois wrote:
>
>Oh, we do install grub-efi-amd64 which Depends: grub-efi-amd64-bin which
>itself Recommends: grub-efi-amd64-signed.
>
>So either stop disabling Recommends (you're working against the default
>setting, you're supposed to be dealing with the consequences on your
>own), or additionally install grub-efi-amd64-signed through appropriate
>parameters in your preseed file.
>
>This seems to me like a not-a-bug situation.

ACK. Sorry, I've not been following this until now.

Agreed 100%. For the default case this works just fine. We don't want
to *force* all users to install the signed versions of packages, hence
we use Recommends: here. In this case, people deciding to go against
defaults and *not* install Recommends during installation get to do
extra work to make up for that. There are plenty of other places in
Debian where that's true as well.

>Leaving this open for other members of the installer team to comment,
>but as far as I can tell, this bug report could likely be closed right
>away.

Agreed, and done. Sorry Bernhard.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"This dress doesn't reverse." -- Alden Spiess

--- End Message ---