On Thu, 2019-02-14 at 18:35 +0000, Luca Boccassi wrote:
> On Thu, 2019-02-14 at 17:18 +0100, Matthijs Kooijman wrote:
> > Hey Luca,
> > 
> > > At a quick glance it all sounds good to me, although I can't say
> > > I
> > > have
> > > a lot of experience with syslinux.
> > 
> > Ok.
> > 
> > > For feature parity, I'd encourage to look into supporting Secure
> > > Boot
> > > like the grub-efi implementation does, since we are preparing to
> > > ship
> > > that in Debian 10. It's not much extra work on top of adding the
> > > rest
> > > anyway.
> > 
> > Can you elaborate a bit on how grub-efi supports Secure Boot
> > exactly?
> > I
> > can't really find anything about this in the code?
> > 
> > Looking at build/scripts/binary_grub-efi and build/scripts/efi-
> > image, 
> > I
> > see that a new efi firmware binary is built using grub-mkimage, so
> > I
> > suppose that that image is not already signed, and there is nothing
> > suggesting that image is be signed at that time. Looking at
> > binary_iso
> > there is also no reference to signing or secure boot.
> > 
> > AFAIU, to support secure boot, you need to sign the bootloader,
> > typically using a key from MS. I've read about the Shim bootloader,
> > which is signed and typically used to then load grub or other
> > bootloaders (signed by the Debian key or other keys included in
> > Shim).
> > However, I can see no reference to shim either.
> > 
> > Looking at the grub package more closely, I *think* that it
> > installs
> > shim
> > alongside grub when using grub-install, but that is not used here?
> > 
> > Regardless, how would you suggest we "support Secure Boot" with
> > syslinux-efi exactly? AFAICT there is no syslinux-efi image
> > available
> > signed with the MS key, and I suspect it is not signed with the
> > Debian
> > key or any other key used by shim (also, since syslinux does not
> > seem
> > to
> > support key verification on kernels, I guess there is no secure way
> > to
> > get syslinux booting under secure boot without compromising secure
> > boot,
> > but I might be missing an important point about SB here...).
> 
> So for the secure boot case in binary_grub-efi, what we do is that if
> the signed monolithic EFI binaries are available we copy those
> instead
> of building a new image. As you correctly mentioned these have to be
> signed already, so we can't do that when building the image, but they
> are already available in the Debian archive as packages.
> 
> Here we check if they are available:
> 
> https://salsa.debian.org/live-team/live-build/blob/master/scripts/bui
> ld/binary_grub-efi#L79
> 
> Here we copy the binaries in the right places:
> 
> https://salsa.debian.org/live-team/live-build/blob/master/scripts/bui
> ld/binary_grub-efi#L164

Ah silly me, I forgot something simple but quite fundamental: the point
of syslinux is to avoid using grub entirely.

Then disregard anything I've said. D'oh!

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to