On Fri, 2018-08-03 at 18:12 +0300, Lars Wirzenius wrote: > On Fri, 2018-08-03 at 23:03 +0800, Ben Hutchings wrote: > > On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote: > > > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote: > > > > Since vmdebootstrap is no longer developed, bug #821088 will not be > > > > fixed there, but perhaps Secure Boot will be supportable using vmdb2. > > > > > > > > If vmdb2 allows its users to specify which package(s) to install as > > > > boot loaders, then I don't think it needs to do anything specific to > > > > support Secure Boot. > > > > > > > > If vmdb2 has specific logic for installing grub2, #821088 should be > > > > reassigned to vmdb2. > > > > > > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support > > > Secure Boot. > > > > As I understand it, you would need to install grub-efi-$ARCH-signed and > > shim-signed, instead of grub-efi-$ARCH. > > That would be easy enough to do. I'm thinking the uefi could gain a third > flavor (currently "bios" and "uefi": "uefi-secure-boot". The difference > with the "uefi" flavour would be packages installed. That would be an easy > to patch to make (but I have no idea how I'd test it). You can use QEMU and OVMF as a Secure Boot test system: https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html I'm not sure where you should get the Microsoft CA certificate from though. grub-efi-amd64-signed is *not* yet in the archive, though shim-signed is. Ben. -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong.
Attachment:
signature.asc
Description: This is a digitally signed message part