Bug#821053: UEFI Secure Boot support in d-i build

Mon, 26 Sep 2016 17:12:35 -0700 

Control: reassign -1 grub-installer
Control: tag -1 patch

On Fri, 01 Jul 2016 23:15:07 +0200 Ben Hutchings <b...@decadent.org.uk> wrote:
> On Fri, 15 Apr 2016 01:04:15 +0100 Steve McIntyre <st...@einval.com>
> wrote:
> > Package: debian-installer
> > Severity: important
> > Control: block 820036 with -1
> >
> > Check what changes will be needed in the d-i build scripts to support
> > signed modules etc. for UEFI Secure Boot.
> 
> I think the answer is 'nothing at all', as udebs will be built with
> signed binaries and their names won't change.  This is implemented in
> linux-signed/experimental.

...but we do need to install grub-signed and shim-signed.  Here's a
patch based on what Ubuntu does, extended to cover arm64 and i386:

--- a/grub-installer
+++ b/grub-installer
@@ -319,7 +319,7 @@ experimental_arch () {
 
 case $ARCH in
     arm64/efi)
-       grub_package="grub-efi-arm64"
+       grub_package="grub-efi-arm64-signed"
        ;;
     armhf/efi)
        grub_package="grub-efi-arm"
@@ -343,9 +343,9 @@ case $ARCH in
                if [ -f /sys/firmware/efi/fw_platform_size ] ; then
                        SIZE=$(cat /sys/firmware/efi/fw_platform_size)
                        if [ $SIZE -eq 64 ] ; then
-                               grub_package="grub-efi-amd64"
+                               grub_package="grub-efi-amd64-signed"
                        elif [ $SIZE -eq 32 ] ; then
-                               grub_package="grub-efi-ia32"
+                               grub_package="grub-efi-ia32-signed"
                        fi
                fi
        fi
@@ -464,10 +464,10 @@ db_progress INFO grub-installer/progress/step_install
 # to grub legacy, or vice-versa
 case "$grub_package" in
     grub)
-       log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+       log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed 
grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
        ;;
     grub-pc)
-       log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+       log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed 
grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
     ;;
     grub-efi*)
        log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-pc-bin grub-pc
@@ -487,6 +487,11 @@ case "$grub_package" in
    *)
        # Will pull in os-prober based on global setting for Recommends
        apt-install $grub_package || exit_code=$? 
+       case $grub_package in
+           *-signed)
+               apt-install shim-signed || true
+               ;;
+       esac
        ;;
 esac
 
--- END ---

Ben.

-- 
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.

Attachment: signature.asc
Description: Digital signature

Reply via email to