Control: reassign -1 grub-installer
Control: tag -1 patch
On Fri, 01 Jul 2016 23:15:07 +0200 Ben Hutchings wrote:
> On Fri, 15 Apr 2016 01:04:15 +0100 Steve McIntyre
> wrote:
> > Package: debian-installer
> > Severity: important
> > Control: block 820036 with -1
> >
> > Check what changes will be needed in the d-i build scripts to support
> > signed modules etc. for UEFI Secure Boot.
>
> I think the answer is 'nothing at all', as udebs will be built with
> signed binaries and their names won't change. This is implemented in
> linux-signed/experimental.
...but we do need to install grub-signed and shim-signed. Here's a
patch based on what Ubuntu does, extended to cover arm64 and i386:
--- a/grub-installer
+++ b/grub-installer
@@ -319,7 +319,7 @@ experimental_arch () {
case $ARCH in
arm64/efi)
- grub_package="grub-efi-arm64"
+ grub_package="grub-efi-arm64-signed"
;;
armhf/efi)
grub_package="grub-efi-arm"
@@ -343,9 +343,9 @@ case $ARCH in
if [ -f /sys/firmware/efi/fw_platform_size ] ; then
SIZE=$(cat /sys/firmware/efi/fw_platform_size)
if [ $SIZE -eq 64 ] ; then
- grub_package="grub-efi-amd64"
+ grub_package="grub-efi-amd64-signed"
elif [ $SIZE -eq 32 ] ; then
- grub_package="grub-efi-ia32"
+ grub_package="grub-efi-ia32-signed"
fi
fi
fi
@@ -464,10 +464,10 @@ db_progress INFO grub-installer/progress/step_install
# to grub legacy, or vice-versa
case "$grub_package" in
grub)
- log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+ log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed
grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
;;
grub-pc)
- log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+ log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed
grub-efi-ia32-bin grub-efi-ia32 grub-efi-ia32-signed
;;
grub-efi*)
log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy
grub-pc-bin grub-pc
@@ -487,6 +487,11 @@ case "$grub_package" in
*)
# Will pull in os-prober based on global setting for Recommends
apt-install $grub_package || exit_code=$?
+ case $grub_package in
+ *-signed)
+ apt-install shim-signed || true
+ ;;
+ esac
;;
esac
--- END ---
Ben.
--
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.
signature.asc
Description: Digital signature