Bug#821053: UEFI Secure Boot support in d-i build

2016-09-30 Thread Steve McIntyre 
On Tue, Sep 27, 2016 at 01:11:16AM +0100, Ben Hutchings wrote:
>Control: reassign -1 grub-installer
>Control: tag -1 patch

Control: block -1 by 821051

ACK - although we can't take this until we have working grub-*-signed
packages in the archive. Blocked on #821051 I think.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"I used to be the first kid on the block wanting a cranial implant,
 now I want to be the first with a cranial firewall. " -- Charlie Stross

Bug#821053: UEFI Secure Boot support in d-i build

2016-09-26 Thread Ben Hutchings 
Control: reassign -1 grub-installer
Control: tag -1 patch

On Fri, 01 Jul 2016 23:15:07 +0200 Ben Hutchings  wrote:
> On Fri, 15 Apr 2016 01:04:15 +0100 Steve McIntyre 
> wrote:
> > Package: debian-installer
> > Severity: important
> > Control: block 820036 with -1
> >
> > Check what changes will be needed in the d-i build scripts to support
> > signed modules etc. for UEFI Secure Boot.
> 
> I think the answer is 'nothing at all', as udebs will be built with
> signed binaries and their names won't change.  This is implemented in
> linux-signed/experimental.

...but we do need to install grub-signed and shim-signed.  Here's a
patch based on what Ubuntu does, extended to cover arm64 and i386:

--- a/grub-installer
+++ b/grub-installer
@@ -319,7 +319,7 @@ experimental_arch () {
 
 case $ARCH in
 arm64/efi)
-   grub_package="grub-efi-arm64"
+   grub_package="grub-efi-arm64-signed"
;;
 armhf/efi)
grub_package="grub-efi-arm"
@@ -343,9 +343,9 @@ case $ARCH in
if [ -f /sys/firmware/efi/fw_platform_size ] ; then
SIZE=$(cat /sys/firmware/efi/fw_platform_size)
if [ $SIZE -eq 64 ] ; then
-   grub_package="grub-efi-amd64"
+   grub_package="grub-efi-amd64-signed"
elif [ $SIZE -eq 32 ] ; then
-   grub_package="grub-efi-ia32"
+   grub_package="grub-efi-ia32-signed"
fi
fi
fi
@@ -464,10 +464,10 @@ db_progress INFO grub-installer/progress/step_install
 # to grub legacy, or vice-versa
 case "$grub_package" in
 grub)
-   log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+   log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed 
grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
;;
 grub-pc)
-   log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+   log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed 
grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
 ;;
 grub-efi*)
log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-pc-bin grub-pc
@@ -487,6 +487,11 @@ case "$grub_package" in
*)
# Will pull in os-prober based on global setting for Recommends
apt-install $grub_package || exit_code=$? 
+   case $grub_package in
+   *-signed)
+   apt-install shim-signed || true
+   ;;
+   esac
;;
 esac
 
--- END ---

Ben.

-- 
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.


signature.asc
Description: Digital signature

Bug#821053: UEFI Secure Boot support in d-i build

2016-07-01 Thread Ben Hutchings 
On Fri, 15 Apr 2016 01:04:15 +0100 Steve McIntyre 
wrote:
> Package: debian-installer
> Severity: important
> Control: block 820036 with -1
> 
> Check what changes will be needed in the d-i build scripts to support
> signed modules etc. for UEFI Secure Boot.

I think the answer is 'nothing at all', as udebs will be built with
signed binaries and their names won't change.  This is implemented in
linux-signed/experimental.

Ben.
 
-- 

Ben Hutchings
All extremists should be taken out and shot.


signature.asc
Description: This is a digitally signed message part

Bug#821053: UEFI Secure Boot support in d-i build

2016-04-14 Thread Steve McIntyre 
Package: debian-installer
Severity: important
Control: block 820036 with -1

Check what changes will be needed in the d-i build scripts to support
signed modules etc. for UEFI Secure Boot.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
  Getting a SCSI chain working is perfectly simple if you remember that there
  must be exactly three terminations: one on one end of the cable, one on the
  far end, and the goat, terminated over the SCSI chain with a silver-handled
  knife whilst burning *black* candles. --- Anthony DeBoer