UEFI Secure Boot sprint report

Hideki Yamane henrich at iijmio-mail.jp
Mon Jun 18 23:50:15 BST 2018


Hi,

 Just a ping question, is there any progress for grub2 package?
 If not, what's the blocker for it?

On Wed, 16 May 2018 10:05:21 +0200
Philipp Hahn <hahn at univention.de> wrote:
> Moin,
> 
> Am 15.05.2018 um 11:41 schrieb Steve McIntyre:
> > On Tue, May 15, 2018 at 04:16:22AM +0100, Colin Watson wrote:
> >> On Tue, May 15, 2018 at 11:46:00AM +0900, Hideki Yamane wrote:
> >>> On Tue, 15 May 2018 03:32:26 +0100 Ben Hutchings <ben at decadent.org.uk> wrote:
> >>>>>> The second point (have DAK accept ...) is part of step 7, yes.  It
> >>>>>> seems to have been implemented now.
> >>>>>
> >>>>>  Then, remaining blocker is only template for GRUB2?
> >>>>
> >>>> For testing purposes, I think so.  I don't know whether GRUB implements
> >>>> the policy we want at the moment.
> 
> @benh: you meat to *only* boot signed stuff and not fall back to
> disabling SB before booting an unsigned kernel?
> That should be addressed by
> <https://salsa.debian.org/pmhahn/grub/commit/fe06193ff5a36ee6aa6a6cab12f4651b6290d91b>
> 
> >>>  Is there any issue to apply such policy to grub2 package, or just not
> >>>  discussed yet?
> >>
> >> Either nobody's tried to discuss it with me yet or I missed the email.
> >> Feel free to (preferably in the form of a patch I can review :-) ).
> > 
> > At / shortly after the sprint, Philipp (in CC) had patches basically
> > ready for grub2, but he seems to have gone quiet. <prod>
> 
> I was busy working on our release, which took all my time.
> And I'm not subscribed to debian-project.
> 
> My last work it at <https://salsa.debian.org/pmhahn/grub/tree/signing>.
> In the week after the sprint I worked on GRUB2 and got it so far to have
> the signed amd64 package - so at the time of writing the sprint report
> GRUB2 was already ready.
> 
> I haven't yet found time to setup an UEFI-SB test environment to check
> that everything works.
> 
> I haven't yet tested any other architecture != amd64.
> 
> @Colin: Please have a look at said repository above.
> What I'm currently unsure about is that amd64 has those ia32 packages as
> well - it should work but also untested.
> My reading is that those are required for dual booting?
> 
> Philipp


-- 
Regards,

 Hideki Yamane     henrich @ debian.org/iijmio-mail.jp



More information about the Pkg-grub-devel mailing list