Hi, On 2019-01-13 20:23, Steve McIntyre wrote:
I've just pushed changes to a few bits of d-i this weekend to make SB work for amd64:* build/util/efi-image: We can use pre-existing (and already signed) EFI binaries instead of building a new monolithic image ourselves (which won't be signed). We'll also need to install the shim-signed binary so that it will be called first then can chain-load the grub binary. Tested and working for boot both via netinst image and network boot for amd64 (signed) and i386 (non-signed). The netboot mini.iso is also updated and will now work with SB on amd64. ***** This will want documentation updates. Most people won't notice the change, *BUT* people using netboot on amd64 will need to tftp-serve both shim (as bootnetx64.efi) and grub (as grubx64.efi) where previously they just needed grub (as bootnetx64.efi) * build/config/arm.cfg, build/config/x86.cfg : Trivial tweaks to match output changes in efi-image * debian/control: update build-deps to match those changes * grub-installer/grub-installer: Small changes to make sure we install shim-signed on amd64 alongside grub-efi-arm64 and grub-efi-arm64-signed. This will make a new amd64 installation now work work with SB out of the box. (If SB is disabled, shim etc. will harmlessly fall through to normal existing behaviour.) I've uploaded grub-installer too. The effect of these changes is that the next daily and weekly debian installer images (tomorrow) should Just Work (TM) end-to-end with UEFI Secure Boot. The changes to efi-image also mean that our next live image builds will do SB (for live and installation). I'll test all these again in the next couple of days to verify that things have pulled through as I expect, then it's time to post to d-d-a and write a blog too. We've made great progress already. These last changes just tie it all together for end users.
I just tried to test this. As far as I can see grub is still signed by "secure-boot-test-key-lfaraone" as of netinst from yesterday (Saturday). The signature is dated Mon, 14 Jan 2019 01:13:20 (supposedly my time I guess). When trying to boot netinst under SB (admittedly on a 5 year old Gigabyte mainboard) I get an "Access denied" error back from image verification. Unfortunately it does not tell me what exactly failed verification. But shim looks ok from Windows.
Kind regards and thanks for all your work on making this finally happen Philipp Kern
