Debian Signed shim and grub images source code request
I am working on adding what I call multi vendor Secure Boot to Super
Grub2 Disk.
1) Super Grub2 Disk ( https://www.supergrubdisk.org/super-grub2-disk/ )
is basically a Grub Disk that can boot on its own with a bunch of grub
scripts
which makes easier for its users to be able to boot into your system
even if you have messed your Grub installation or even if don't have a
proper grub.cfg file.
2) Multi vendor Secure Boot means choosing the distribution/vendor of
your choice and then being able to boot your installed GNU/Linux
distribution.
This means that I am going to fetch signed shim and grub images from
debian, ubuntu, fedora and many more distributions so that I can boot
into the Debian one and then switch to the other ones.
That way my final users won't need to turn off their Secure Boot in
order to be able to boot Super Grub2 Disk (which it's currently not
signed by anyone).
What I understand the boot process is:
EFI Firmware -> Signed Shim -> Signed Grub -> Signed Kernel -> Userspace
3) So, my 'Secure Boot Super Grub2 Disk' images would have some binaries.
And I need to provide its associated source code if I want to comply
with their open source licenses.
As I am very familiar with Debian the default 'Secure Boot shim+grub'
that will power Super Grub2 Disk would be the Debian one.
4) So... my question is...
How do I get the source code for:
- The Debian Secure Boot signed shim binary
- The Debian Secure Boot signed grub binary
?
5) The answer might be quite straight-forward from the Debian
perspective but I don't think it's that way.
You might ask me to just download the deb-source packages that build:
gcdia32.efi.signed
gcdx64.efi.signed
shimia32.efi.signed
shimx64.efi.signed
or
grubx64.efi
shimx64.efi
(Sorry I don't remember how these binary files are named inside the
packages. )
Well, that's not right. Isn't it ?
Shouldn't I have every software involved on this build?
Shouldn't I have every software that I need to install in an empty
machine to make this build?
Please also notice that Super Grub2 Disk is not a GNU/Linux distribution
(has not Linux kernel, just a GNU/GRUB kernel).
What I mean is that I would probably need the source code for a basic
distribution where this could be built too.
Maybe I could craft a live-build Debian Live just for this.
6)
live-build is a software for building Debian Live cds.
live-build has an option for creating a huge tar.gz file that includes
all of the (source packages / source code) associated with all of the
binary packages that you have in your live cd.
7)
So, yeah, you might invite me to debian source packages that generate
these specific Debian binary packages:
shim-signed
grub-efi-amd64-signed
.
In addition to this I think I need the source code of the tools that you
use for:
- Creating your CA
- Creating CSR so that Microsoft signs your certificate
- Sign shim with your CA (or maybe this is signed by Microsoft itself).
- Sign grub with your CA
.
I mean, all of these tools that in some extent contribute to the signed
shim and grub binaries.
I am not convinced that all of those tools are integrate in the Debian
source code packages as it would happen in a normal build.
I guess that an external tool signs some binaries, it's not the Debian
source code package calling the external tool to sign them.
I mean, yeah, just wild guessing here.
8)
My final goal is to download a single tar.gz file for the shim binary
'source code' and a single tar.gz for the grub binary 'source code'.
I know that the distributions won't do those tar.gz so the idea is to
program an script to generate those.
The problem is... What do I put inside of those tar.gz files?
Would you please shed some light on this?
Thank you very much!
adrian15
Reply to: