On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote: > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote: > > Since vmdebootstrap is no longer developed, bug #821088 will not be > > fixed there, but perhaps Secure Boot will be supportable using vmdb2. > > > > If vmdb2 allows its users to specify which package(s) to install as > > boot loaders, then I don't think it needs to do anything specific to > > support Secure Boot. > > > > If vmdb2 has specific logic for installing grub2, #821088 should be > > reassigned to vmdb2. > > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support > Secure Boot.
As I understand it, you would need to install grub-efi-$ARCH-signed and shim-signed, instead of grub-efi-$ARCH. > I've never used SB, don't know much about it, I fear touching > the grub-related parts of vmdb2, and I'm afraid I'm unlikely to have time > or energy to learn in the next few months. I'm not even sure I have > hardware on which I could test SB. However, I'm happy to accept patches. > > The grub installation in vmdb2 is done by this module: > > http://git.liw.fi/vmdb2/tree/vmdb/plugins/grub_plugin.py Would this behaviour be overridable by a user such as live-wrapper? > Kernel installation is typically done by this module: > > http://git.liw.fi/vmdb2/tree/vmdb/plugins/apt_plugin.py This shouldn't need to change. The usual linux-image-* packages will include signed code (but will be built from a different source package). Ben. > This is a .vmdb file for a PC with UEFI (I've not tested it recently, but > it used to work): > > http://git.liw.fi/vmdb2/tree/uefi.vmdb > > I'm happy to guide whoever works on this at the correct parts of vmdb2, and > to answer questions about it, but I can't promise to do much more than > that, sorry. > -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong.
signature.asc
Description: This is a digitally signed message part