[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

UEFI Secure Boot changes in d-i and live images

Hi folks,

I've just pushed changes to a few bits of d-i this weekend to make SB
work for amd64:

 * build/util/efi-image:

   We can use pre-existing (and already signed) EFI binaries instead
   of building a new monolithic image ourselves (which won't be
   signed). We'll also need to install the shim-signed binary so that
   it will be called first then can chain-load the grub binary.
   Tested and working for boot both via netinst image and network
   boot for amd64 (signed) and i386 (non-signed). The netboot mini.iso
   is also updated and will now work with SB on amd64.

   ***** This will want documentation updates. Most people won't
         notice the change, *BUT* people using netboot on amd64 will
         need to tftp-serve both shim (as bootnetx64.efi) and grub (as
         grubx64.efi) where previously they just needed grub (as

 * build/config/arm.cfg, build/config/x86.cfg :

   Trivial tweaks to match output changes in efi-image

 * debian/control:

   update build-deps to match those changes

 * grub-installer/grub-installer:

   Small changes to make sure we install shim-signed on amd64
   alongside grub-efi-arm64 and grub-efi-arm64-signed. This will make
   a new amd64 installation now work work with SB out of the box.

   (If SB is disabled, shim etc. will harmlessly fall through to normal
   existing behaviour.)

   I've uploaded grub-installer too.

The effect of these changes is that the next daily and weekly debian
installer images (tomorrow) should Just Work (TM) end-to-end with UEFI
Secure Boot. The changes to efi-image also mean that our next live
image builds will do SB (for live and installation).

I'll test all these again in the next couple of days to verify that
things have pulled through as I expect, then it's time to post to
d-d-a and write a blog too. We've made great progress already. These
last changes just tie it all together for end users.


Steve McIntyre, Cambridge, UK.                                steve@einval.com
"This dress doesn't reverse." -- Alden Spiess

Attachment: signature.asc
Description: PGP signature

Reply to: