--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: live builds will need UEFI Secure Boot changes
- From: Steve McIntyre <steve@einval.com>
- Date: Fri, 15 Apr 2016 01:08:57 +0100
- Message-id: <20160415000857.GD28583@einval.com>
Package: live-wrapper
Severity: important
Control: block 820036 with -1
When we get live builds going again with UEFI support, we'll need to
add support for Secure Boot too. This is a tracking bug - modify and
update as appropriate.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Every time you use Tcl, God kills a kitten." -- Malcolm Ray
--- End Message ---
--- Begin Message ---
- To: Ben Hutchings <ben@decadent.org.uk>, 821055-done@bugs.debian.org
- Cc: 821088@bugs.debian.org
- Subject: Re: Bug#821055: Bug#821088: Secure Boot support in live-wrapper
- From: Steve McIntyre <steve@einval.com>
- Date: Wed, 19 Jun 2019 11:54:26 +0100
- Message-id: <20190619105426.GB3959@tack.einval.com>
- In-reply-to: <bd2f0edf6fd95122172c0e3747b76d3e8ed8aa27.camel@decadent.org.uk>
- References: <20160415101742.GA10158@einval.com> <21b0d51b29abebb867cec8ea4c2b6b8ef104876a.camel@decadent.org.uk> <3f332559e7c99981fd194712b73c8fc347480d21.camel@liw.fi> <f92d4bc4438c4eae5270e6240135ac45b83e8463.camel@decadent.org.uk> <f49885e59e1286ef4ac59fa6573d4ec3c3caefbd.camel@liw.fi> <20160415000857.GD28583@einval.com> <bd2f0edf6fd95122172c0e3747b76d3e8ed8aa27.camel@decadent.org.uk>
Closing old bug - our live media builds have working SB support.
I found that the UEFI setup we're using is all driven by live-wrapper
rather than the code in vmdebootstrap, which made life much easier.
As vmdebootstrap is basically moribund, probably worth closing 821088
too?
On Fri, Aug 03, 2018 at 11:32:16PM +0800, Ben Hutchings wrote:
>On Fri, 2018-08-03 at 18:12 +0300, Lars Wirzenius wrote:
>> On Fri, 2018-08-03 at 23:03 +0800, Ben Hutchings wrote:
>> > On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote:
>> > > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
>> > > > Since vmdebootstrap is no longer developed, bug #821088 will not be
>> > > > fixed there, but perhaps Secure Boot will be supportable using vmdb2.
>> > > >
>> > > > If vmdb2 allows its users to specify which package(s) to install as
>> > > > boot loaders, then I don't think it needs to do anything specific to
>> > > > support Secure Boot.
>> > > >
>> > > > If vmdb2 has specific logic for installing grub2, #821088 should be
>> > > > reassigned to vmdb2.
>> > >
>> > > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
>> > > Secure Boot.
>> >
>> > As I understand it, you would need to install grub-efi-$ARCH-signed and
>> > shim-signed, instead of grub-efi-$ARCH.
>>
>> That would be easy enough to do. I'm thinking the uefi could gain a third
>> flavor (currently "bios" and "uefi": "uefi-secure-boot". The difference
>> with the "uefi" flavour would be packages installed. That would be an easy
>> to patch to make (but I have no idea how I'd test it).
>
>You can use QEMU and OVMF as a Secure Boot test system:
>https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html
>I'm not sure where you should get the Microsoft CA certificate from
>though.
>
>grub-efi-amd64-signed is *not* yet in the archive, though shim-signed
>is.
>
>Ben.
>
>--
>Ben Hutchings
>For every complex problem
>there is a solution that is simple, neat, and wrong.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Into the distance, a ribbon of black
Stretched to the point of no turning back
--- End Message ---