Bug#820050: Monolithic grub for signing (grub2-signed/secure-boot)

[Luca Boccassi]

On Thu, 20 Oct 2016 17:32:53 -0200 Helen Koike <helen.koike at collabora.co.uk> wrote:
> Hi,
> 
> To be able to create grub2-signed package we need a monolithic version 
> of grub available, as grub doesn't know how verify the signatures of its 
> modules loaded from the disk, so we need a monolithic version containing 
> grub and all it's modules into a single image to be signed. Then 
> grub2-signed package can depend on the signature and on monolithic grub 
> package to be used when secure boot is enabled.
> 
> So I was wondering it is would be ok to change the packages 
> grub-efi-....deb to create a monolithic version of grub or if it will be 
> preferable to create a grub-efi-monolithic....deb, or do you have any 
> other idea?
> 
> Thanks
> Helen Koike

Hi,

In case any of this could be of use:

a small patch to build additional monolithic EFI grub packages for amd64/arm64 can be found here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851994

and here's a grub2-signed source package that I derived from linux-signed:

https://github.com/bluca/grub2-signed

I've been successfully using these changes internally in our downstream
rebuild at work. The other secure boot related grub patches are
necessary as well (to enable the build in grub on platforms other than
Ubuntu listed on #836140).

I know on Debian DAK will do the signing from a tarball with the
unsigned binaries rather than a package, but just in case a user or
another downstream wants to self-sign I wanted to leave these here for
reference.

Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20170212/1c0c1eb5/attachment.sig>