On Thu, 2019-02-14 at 17:18 +0100, Matthijs Kooijman wrote: > Hey Luca, > > > At a quick glance it all sounds good to me, although I can't say I > > have > > a lot of experience with syslinux. > > Ok. > > > For feature parity, I'd encourage to look into supporting Secure > > Boot > > like the grub-efi implementation does, since we are preparing to > > ship > > that in Debian 10. It's not much extra work on top of adding the > > rest > > anyway. > > Can you elaborate a bit on how grub-efi supports Secure Boot exactly? > I > can't really find anything about this in the code? > > Looking at build/scripts/binary_grub-efi and build/scripts/efi-image, > I > see that a new efi firmware binary is built using grub-mkimage, so I > suppose that that image is not already signed, and there is nothing > suggesting that image is be signed at that time. Looking at > binary_iso > there is also no reference to signing or secure boot. > > AFAIU, to support secure boot, you need to sign the bootloader, > typically using a key from MS. I've read about the Shim bootloader, > which is signed and typically used to then load grub or other > bootloaders (signed by the Debian key or other keys included in > Shim). > However, I can see no reference to shim either. > > Looking at the grub package more closely, I *think* that it installs > shim > alongside grub when using grub-install, but that is not used here? > > Regardless, how would you suggest we "support Secure Boot" with > syslinux-efi exactly? AFAICT there is no syslinux-efi image available > signed with the MS key, and I suspect it is not signed with the > Debian > key or any other key used by shim (also, since syslinux does not seem > to > support key verification on kernels, I guess there is no secure way > to > get syslinux booting under secure boot without compromising secure > boot, > but I might be missing an important point about SB here...).
So for the secure boot case in binary_grub-efi, what we do is that if the signed monolithic EFI binaries are available we copy those instead of building a new image. As you correctly mentioned these have to be signed already, so we can't do that when building the image, but they are already available in the Debian archive as packages. Here we check if they are available: https://salsa.debian.org/live-team/live-build/blob/master/scripts/build/binary_grub-efi#L79 Here we copy the binaries in the right places: https://salsa.debian.org/live-team/live-build/blob/master/scripts/build/binary_grub-efi#L164 > > > Since config sharing is easy and syslinux-efi is a matter of > > > adding > > > some files to the existing image, it would make sense to add > > > syslinux-efi by default on normal syslinux hdd images (perhaps > > > adding a new option to disable this?). > > I just noticed that lb config has a --bootloaders that supports > *multiple* bootloaders, so that would be perfect way to support this. > E.g. --bootloaders syslinux,syslinux-efi to have combined image > (which > would also become the default for hdd images), or an explicit > --bootloaders syslinux or --bootloaders syslinux-efi to choose either > one individually. > > Gr. > > Matthijs Yes we do support that - although not all combinations work IIRC. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
