Package: grub-efi-amd64-signed Version: 1+2.02+dfsg1+9 Severity: normal Tags: patch
Hi! Working through the last pieces of secure boot support for Buster, I have a working installer build and a working netinst that boot with SB enabled and do all the right things. Yay! The're only one thing missing from my test installations - nothing is causing shim-signed to be installed automatically. So I have an installation that succeeds, but the UEFI firmware will then refuse to boot it afterward due to the lack of a signed first-stage bootloader. The following trivial patch should fix that: diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in index cb84e96c6..5bb726ff9 100644 --- a/debian/signing-template/control.in +++ b/debian/signing-template/control.in @@ -11,6 +11,7 @@ Rules-Requires-Root: no Package: @pkg_signed@ Architecture: @arch@ +Recommends: shim-signed [amd64] Built-Using: grub2 (= @version_binary@) Description: GRand Unified Bootloader, version 2 (@arch@ UEFI signed by Debian) GRUB is a portable, powerful bootloader. This version of GRUB is based on a [ Disclaimer: I've not *actually* tested the complete chain with this exact change, as that's hard to do with the signing pieces. However, this patch applies and builds fine in the grub2 source package, and I've built a modified grub-efi-amd64-signed binary package with the same Recommends: locally to test with. ] I've gone for Recommends: rather than Depends to avoid any chance of a Depends: loop. At the point when d-i or normal package installation is running, Recommends: is enough to pull in the extra package. NB: Ubuntu doesn't have the depends/recommends here, so I can only assume that some other method is used to ensure that shim-signed is installed there. I asked Steve Langasek about this, but I've not had an answer yet. -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)