Re: Grub, UEFI Secure Boot and netboot - help!
On Mon, Jun 10, 2019 at 11:08:35AM +0200, Domenico Andreoli wrote:
>On Mon, Jun 10, 2019 at 03:37:41AM +0100, Steve McIntyre wrote:
...
>> I can see a couple of options here, but I'm not sure either of them
>> are good. Comments would be most welcome!
>>
>> 1. Update the docs to mention this - this is a new thing needed to
>> get netboot working with Buster. It's *currently* inconsistent,
>> as ia64 and armhf (as non-SB arches) are still using the old
>> prefix setting. For the sake of consistency (in docs etc.), I
>> propose to also update the d-i build for those arches to use the
>> same prefix. But I acknowledge that will break existing
>> setups. :-(
>
>These are two options:
>
> 1a. docs update (does not break anything)
> 1b. d-i build update (might break something)
>>
>> 2. Alternatively, we could tweak the netboot prefix setting as built
>> by grub. I'm worried that this may also break things for some
>> users. Do we assume (can we?) that all our grub netboot users are
>> installer users (so we could use /debian-installer/$ARCH/grub)?
>> If so, that might be a way to go. But is it a valid assumption?
>> We'd be forcing all our grub netboot binaries to only sensibly
>> work for d-i, and that worries me too.
>>
>> Any other suggestions on what we could do? Let me know what you
>> think...
>
>Is this question for Buster or Buster+x? Those solutions requiring a
>change in grub (and a new signature from M$) are not be ok for Buster.
This is definitely for Buster. Changes in *Grub* are fine - we sign
that ourselves. It's updated versions of Shim that are problematic.
>For Buster I find acceptable only 1a. I prefer a sub-optimal solution
>now to an improved solution later, especially under release.
>
>For Buster+x, is it possible to make grub search multiple prefixes?
I think it would be quite a big change...
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Armed with "Valor": "Centurion" represents quality of Discipline,
Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
concord the digital world while feeling safe and proud.
Reply to: