[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#821055: marked as done (live-wrapper: Missing UEFI Secure Boot support)

Your message dated Wed, 19 Jun 2019 11:54:26 +0100
with message-id <20190619105426.GB3959@tack.einval.com>
and subject line Re: Bug#821055: Bug#821088: Secure Boot support in live-wrapper
has caused the Debian Bug report #821055,
regarding live-wrapper: Missing UEFI Secure Boot support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
821055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821055
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: live-wrapper
Severity: important
Control: block 820036 with -1

When we get live builds going again with UEFI support, we'll need to
add support for Secure Boot too. This is a tracking bug - modify and
update as appropriate.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Every time you use Tcl, God kills a kitten." -- Malcolm Ray

--- End Message ---
--- Begin Message --- 
Closing old bug - our live media builds have working SB support.

I found that the UEFI setup we're using is all driven by live-wrapper
rather than the code in vmdebootstrap, which made life much easier.

As vmdebootstrap is basically moribund, probably worth closing 821088
too?

On Fri, Aug 03, 2018 at 11:32:16PM +0800, Ben Hutchings wrote:
>On Fri, 2018-08-03 at 18:12 +0300, Lars Wirzenius wrote:
>> On Fri, 2018-08-03 at 23:03 +0800, Ben Hutchings wrote:
>> > On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote:
>> > > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
>> > > > Since vmdebootstrap is no longer developed, bug #821088 will not be
>> > > > fixed there, but perhaps Secure Boot will be supportable using vmdb2.
>> > > > 
>> > > > If vmdb2 allows its users to specify which package(s) to install as
>> > > > boot loaders, then I don't think it needs to do anything specific to
>> > > > support Secure Boot.
>> > > > 
>> > > > If vmdb2 has specific logic for installing grub2, #821088 should be
>> > > > reassigned to vmdb2.
>> > > 
>> > > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
>> > > Secure Boot.
>> > 
>> > As I understand it, you would need to install grub-efi-$ARCH-signed and
>> > shim-signed, instead of grub-efi-$ARCH.
>> 
>> That would be easy enough to do. I'm thinking the uefi could gain a third
>> flavor (currently "bios" and "uefi": "uefi-secure-boot". The difference
>> with the "uefi" flavour would be packages installed. That would be an easy
>> to patch to make (but I have no idea how I'd test it).
>
>You can use QEMU and OVMF as a Secure Boot test system:
>https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html
>I'm not sure where you should get the Microsoft CA certificate from
>though.
>
>grub-efi-amd64-signed is *not* yet in the archive, though shim-signed
>is.
>
>Ben.
>
>-- 
>Ben Hutchings
>For every complex problem
>there is a solution that is simple, neat, and wrong.


-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Into the distance, a ribbon of black
Stretched to the point of no turning back

--- End Message ---
Reply to: