On Thu, 2019-02-14 at 18:35 +0000, Luca Boccassi wrote: > On Thu, 2019-02-14 at 17:18 +0100, Matthijs Kooijman wrote: > > Hey Luca, > > > > > At a quick glance it all sounds good to me, although I can't say > > > I > > > have > > > a lot of experience with syslinux. > > > > Ok. > > > > > For feature parity, I'd encourage to look into supporting Secure > > > Boot > > > like the grub-efi implementation does, since we are preparing to > > > ship > > > that in Debian 10. It's not much extra work on top of adding the > > > rest > > > anyway. > > > > Can you elaborate a bit on how grub-efi supports Secure Boot > > exactly? > > I > > can't really find anything about this in the code? > > > > Looking at build/scripts/binary_grub-efi and build/scripts/efi- > > image, > > I > > see that a new efi firmware binary is built using grub-mkimage, so > > I > > suppose that that image is not already signed, and there is nothing > > suggesting that image is be signed at that time. Looking at > > binary_iso > > there is also no reference to signing or secure boot. > > > > AFAIU, to support secure boot, you need to sign the bootloader, > > typically using a key from MS. I've read about the Shim bootloader, > > which is signed and typically used to then load grub or other > > bootloaders (signed by the Debian key or other keys included in > > Shim). > > However, I can see no reference to shim either. > > > > Looking at the grub package more closely, I *think* that it > > installs > > shim > > alongside grub when using grub-install, but that is not used here? > > > > Regardless, how would you suggest we "support Secure Boot" with > > syslinux-efi exactly? AFAICT there is no syslinux-efi image > > available > > signed with the MS key, and I suspect it is not signed with the > > Debian > > key or any other key used by shim (also, since syslinux does not > > seem > > to > > support key verification on kernels, I guess there is no secure way > > to > > get syslinux booting under secure boot without compromising secure > > boot, > > but I might be missing an important point about SB here...). > > So for the secure boot case in binary_grub-efi, what we do is that if > the signed monolithic EFI binaries are available we copy those > instead > of building a new image. As you correctly mentioned these have to be > signed already, so we can't do that when building the image, but they > are already available in the Debian archive as packages. > > Here we check if they are available: > > https://salsa.debian.org/live-team/live-build/blob/master/scripts/bui > ld/binary_grub-efi#L79 > > Here we copy the binaries in the right places: > > https://salsa.debian.org/live-team/live-build/blob/master/scripts/bui > ld/binary_grub-efi#L164 Ah silly me, I forgot something simple but quite fundamental: the point of syslinux is to avoid using grub entirely. Then disregard anything I've said. D'oh! -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part