Bug#820050: Monolithic grub for signing (grub2-signed/secure-boot)

2017-02-12 Thread Luca Boccassi 
On Thu, 20 Oct 2016 17:32:53 -0200 Helen Koike  
wrote:
> Hi,
> 
> To be able to create grub2-signed package we need a monolithic version 
> of grub available, as grub doesn't know how verify the signatures of its 
> modules loaded from the disk, so we need a monolithic version containing 
> grub and all it's modules into a single image to be signed. Then 
> grub2-signed package can depend on the signature and on monolithic grub 
> package to be used when secure boot is enabled.
> 
> So I was wondering it is would be ok to change the packages 
> grub-efi-deb to create a monolithic version of grub or if it will be 
> preferable to create a grub-efi-monolithicdeb, or do you have any 
> other idea?
> 
> Thanks
> Helen Koike

Hi,

In case any of this could be of use:

a small patch to build additional monolithic EFI grub packages for amd64/arm64 
can be found here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851994

and here's a grub2-signed source package that I derived from linux-signed:

https://github.com/bluca/grub2-signed

I've been successfully using these changes internally in our downstream
rebuild at work. The other secure boot related grub patches are
necessary as well (to enable the build in grub on platforms other than
Ubuntu listed on #836140).

I know on Debian DAK will do the signing from a tarball with the
unsigned binaries rather than a package, but just in case a user or
another downstream wants to self-sign I wanted to leave these here for
reference.

Kind regards,
Luca Boccassi


signature.asc
Description: This is a digitally signed message part

Bug#820050: Monolithic grub for signing (grub2-signed/secure-boot)

2016-10-20 Thread Helen Koike 

Hi,

To be able to create grub2-signed package we need a monolithic version 
of grub available, as grub doesn't know how verify the signatures of its 
modules loaded from the disk, so we need a monolithic version containing 
grub and all it's modules into a single image to be signed. Then 
grub2-signed package can depend on the signature and on monolithic grub 
package to be used when secure boot is enabled.


So I was wondering it is would be ok to change the packages 
grub-efi-deb to create a monolithic version of grub or if it will be 
preferable to create a grub-efi-monolithicdeb, or do you have any 
other idea?


Thanks
Helen Koike