Hi folks, I've just pushed changes to a few bits of d-i this weekend to make SB work for amd64: * build/util/efi-image: We can use pre-existing (and already signed) EFI binaries instead of building a new monolithic image ourselves (which won't be signed). We'll also need to install the shim-signed binary so that it will be called first then can chain-load the grub binary. Tested and working for boot both via netinst image and network boot for amd64 (signed) and i386 (non-signed). The netboot mini.iso is also updated and will now work with SB on amd64. ***** This will want documentation updates. Most people won't notice the change, *BUT* people using netboot on amd64 will need to tftp-serve both shim (as bootnetx64.efi) and grub (as grubx64.efi) where previously they just needed grub (as bootnetx64.efi) * build/config/arm.cfg, build/config/x86.cfg : Trivial tweaks to match output changes in efi-image * debian/control: update build-deps to match those changes * grub-installer/grub-installer: Small changes to make sure we install shim-signed on amd64 alongside grub-efi-arm64 and grub-efi-arm64-signed. This will make a new amd64 installation now work work with SB out of the box. (If SB is disabled, shim etc. will harmlessly fall through to normal existing behaviour.) I've uploaded grub-installer too. The effect of these changes is that the next daily and weekly debian installer images (tomorrow) should Just Work (TM) end-to-end with UEFI Secure Boot. The changes to efi-image also mean that our next live image builds will do SB (for live and installation). I'll test all these again in the next couple of days to verify that things have pulled through as I expect, then it's time to post to d-d-a and write a blog too. We've made great progress already. These last changes just tie it all together for end users. \o/ -- Steve McIntyre, Cambridge, UK. steve@einval.com "This dress doesn't reverse." -- Alden Spiess
Attachment:
signature.asc
Description: PGP signature