Bug#1094878: grub-cloud: Confusing comment in postinst script for Bookworm

To: submit@bugs.debian.org
Subject: Bug#1094878: grub-cloud: Confusing comment in postinst script for Bookworm
From: Aaron Rainbolt <arraybolt3@gmail.com>
Date: Fri, 31 Jan 2025 15:16:37 -0600
Message-id: <[🔎] 20250131151637.2ae660ba@kf-ir16>
Reply-to: Aaron Rainbolt <arraybolt3@gmail.com>, 1094878@bugs.debian.org

Package: grub-cloud
Version: 0.0.5
Severity: minor

In Bookworm's grub-cloud source package,
`debian/grub-cloud-amd64.postinst` has a comment in the
`install_x86_64_efi()` function that reads:

    # No support for shim yet, install also into removable location

To me this sounds like grub-cloud isn't able to install shim for some
reason, and that a VM that uses grub-cloud for keeping GRUB updated will
not be Secure Boot compatible. However, in my testing this doesn't seem
to be true - I can see that grub-cloud does indeed install shim by
building a VM in a chroot:

    qemu-img create -f qcow2 disk.qcow2 32G
    sudo modprobe nbd
    sudo qemu-nbd -c /dev/nbd0 ./disk.qcow2
    sudo gdisk /dev/nbd0
    # Create a 300 MiB EFI system partition, an 8 MiB bios-boot
    # partition, and allocate the rest of the disk to a typical Linux
    # filesystem partition
    sudo mkfs.fat -F32 /dev/nbd0p1
    sudo mkfs.ext4 /dev/nbd0p3
    mkdir vdisk
    sudo mount /dev/nbd0p3 ./vdisk
    sudo debootstrap bookworm ./vdisk
    sudo mkdir ./vdisk/boot/efi
    sudo mount /dev/nbd0p1 ./vdisk/boot/efi
    sudo mount --bind /dev ./vdisk/dev
    sudo mount --bind /dev/pts ./vdisk/dev/pts
    sudo mount --bind /sys ./vdisk/sys
    sudo mount --bind /proc ./vdisk/proc
    sudo chroot ./vdisk
    apt update
    mkdir -p /etc/grub.d
    touch /etc/grub.d/enable_cloud
    apt install linux-image-amd64
    apt install grub-cloud-amd64
    # make sure you see some notices about GRUB being installed during
    # the grub-cloud-amd64 installation
    ls /boot/efi/EFI/debian
    # this should show that shim is installed along with GRUB
    apt install vim
    vim /etc/fstab
    # Create fstab as follows:
    # /dev/vda3 / ext4 defaults 0 0
    # /dev/vda1 /boot/efi vfat defaults 0 0
    exit
    sudo umount ./vdisk/dev/pts
    sudo umount ./vdisk/dev
    sudo umount ./vdisk/sys
    sudo umount ./vdisk/proc
    sudo umount ./vdisk/boot/efi
    sudo qemu-nbd -d /dev/nbd0

At this point if you import the disk image into virt-manager, setting
the firmware of the VM to OVMF_CODE_4M.ms.fd, it will boot successfully
and report that Secure Boot is enabled.

Can this comment just be dropped?

Attachment: pgpV5_Jbvqqf2.pgp
Description: OpenPGP digital signature

Reply to:

Prev by Date: Processing of python-botocore_1.36.9+repack-1_source.changes
Previous by thread: Processing of python-botocore_1.36.9+repack-1_source.changes
Index(es):
- Date
- Thread