On Mon, Jun 10, 2019 at 03:37:41AM +0100, Steve McIntyre wrote: > Hey folks, Hi, > > We have a bit of a problem with PXE booting Grub in Buster, as shown > in #928750: > > * On all supported arches, we *used* to generate a Grub netboot image > inside d-i, with a prefix setting of > "debian-installer/$arch/grub". The prefix is important, as it's how > Grub finds its config file, modules etc that it loads. Things are > still like this in Stretch. > > * In Buster, we can no longer do this on arches which support Secure > Boot. To keep the SB signature, we now re-use the existing signed > binaries that have come directly from the Grub build (and the > Debian signing infrastructure). There's just one minor problem with > this - this means that we're stuck with the hard-coded prefix baked > into the grubnetXXX.efi binary. This is currently set to "/grub", > and this means that to get a functional amd64 (say) PXE > installation working the user has to add a "/grub" symlink on their > TFTP server, something like: > > /grub -> /debian-installer/amd64/grub > > (assuming that /debian-installer is the root of the netboot tree). > > I can see a couple of options here, but I'm not sure either of them > are good. Comments would be most welcome! > > 1. Update the docs to mention this - this is a new thing needed to > get netboot working with Buster. It's *currently* inconsistent, > as ia64 and armhf (as non-SB arches) are still using the old > prefix setting. For the sake of consistency (in docs etc.), I > propose to also update the d-i build for those arches to use the > same prefix. But I acknowledge that will break existing > setups. :-( These are two options: 1a. docs update (does not break anything) 1b. d-i build update (might break something) > > 2. Alternatively, we could tweak the netboot prefix setting as built > by grub. I'm worried that this may also break things for some > users. Do we assume (can we?) that all our grub netboot users are > installer users (so we could use /debian-installer/$ARCH/grub)? > If so, that might be a way to go. But is it a valid assumption? > We'd be forcing all our grub netboot binaries to only sensibly > work for d-i, and that worries me too. > > Any other suggestions on what we could do? Let me know what you > think... > Is this question for Buster or Buster+x? Those solutions requiring a change in grub (and a new signature from M$) are not be ok for Buster. For Buster I find acceptable only 1a. I prefer a sub-optimal solution now to an improved solution later, especially under release. For Buster+x, is it possible to make grub search multiple prefixes? Regards, Domenico -- 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13
Attachment:
signature.asc
Description: PGP signature