Re: Grub, UEFI Secure Boot and netboot - help!

To: Domenico Andreoli <cavok@debian.org>
Cc: debian-efi@lists.debian.org, debian-ia64@lists.debian.org, debian-boot@lists.debian.org
Subject: Re: Grub, UEFI Secure Boot and netboot - help!
From: Steve McIntyre <steve@einval.com>
Date: Mon, 10 Jun 2019 15:56:10 +0100
Message-id: <[🔎] 20190610145610.GE6907@tack.einval.com>
In-reply-to: <[🔎] 20190610090835.GA6108@nouveau>
References: <[🔎] 20190610023741.GD6907@tack.einval.com> <[🔎] 20190610090835.GA6108@nouveau>

On Mon, Jun 10, 2019 at 11:08:35AM +0200, Domenico Andreoli wrote:
>On Mon, Jun 10, 2019 at 03:37:41AM +0100, Steve McIntyre wrote:

...

>> I can see a couple of options here, but I'm not sure either of them
>> are good. Comments would be most welcome!
>> 
>>   1. Update the docs to mention this - this is a new thing needed to
>>      get netboot working with Buster. It's *currently* inconsistent,
>>      as ia64 and armhf (as non-SB arches) are still using the old
>>      prefix setting. For the sake of consistency (in docs etc.), I
>>      propose to also update the d-i build for those arches to use the
>>      same prefix. But I acknowledge that will break existing
>>      setups. :-(
>
>These are two options:
>
>  1a. docs update (does not break anything)
>  1b. d-i build update (might break something)
>> 
>>   2. Alternatively, we could tweak the netboot prefix setting as built
>>      by grub. I'm worried that this may also break things for some
>>      users. Do we assume (can we?) that all our grub netboot users are
>>      installer users (so we could use /debian-installer/$ARCH/grub)?
>>      If so, that might be a way to go. But is it a valid assumption?
>>      We'd be forcing all our grub netboot binaries to only sensibly
>>      work for d-i, and that worries me too.
>> 
>> Any other suggestions on what we could do? Let me know what you
>> think...
>
>Is this question for Buster or Buster+x?  Those solutions requiring a
>change in grub (and a new signature from M$) are not be ok for Buster.

This is definitely for Buster. Changes in *Grub* are fine - we sign
that ourselves. It's updated versions of Shim that are problematic.

>For Buster I find acceptable only 1a. I prefer a sub-optimal solution
>now to an improved solution later, especially under release.
>
>For Buster+x, is it possible to make grub search multiple prefixes?

I think it would be quite a big change...

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Reply to:

References:
- Grub, UEFI Secure Boot and netboot - help!
  - From: Steve McIntyre <steve@einval.com>
- Re: Grub, UEFI Secure Boot and netboot - help!
  - From: Domenico Andreoli <cavok@debian.org>

Prev by Date: Re: Grub, UEFI Secure Boot and netboot - help!
Next by Date: Re: Grub, UEFI Secure Boot and netboot - help!
Previous by thread: Re: Grub, UEFI Secure Boot and netboot - help!
Next by thread: Re: Grub, UEFI Secure Boot and netboot - help!
Index(es):
- Date
- Thread