UEFI Secure Boot - GRUB WIP report

Philipp Hahn hahn at univention.de
Tue Jun 19 10:00:44 BST 2018 

Hello,

Am 19.06.2018 um 10:25 schrieb Colin Watson:
> On Tue, Jun 19, 2018 at 07:50:15AM +0900, Hideki Yamane wrote:
>>  Just a ping question, is there any progress for grub2 package?
>>  If not, what's the blocker for it?
> 
> I had an email conversation with Philipp Hahn about this.  The main
> substance of my reply was:
> 
>   I can't easily review this as it stands because it's just so different
>   from how I manage the master branch.  Could you please rebase this onto
>   the master branch of the repository above?  Furthermore, could you make
>   sure to use git-dpm any time you're manipulating patches against
>   upstream (i.e. anything outside debian/)?  You should never need to edit
>   quilt metadata in the grub2 packaging directly.  Let me know if you need
>   help using git-dpm that isn't answered by the docs - I'm happy to
>   advise.
>   
>   Once it's in a suitable shape, I'd be happy to review by way of a merge
>   request on salsa.
> 
> I haven't yet heard back, so I assume it's taking Philipp a while to
> sort out the rebase ...

I just worked on it yesterday and have pushed my new WIP branch to salsa
just now: <https://salsa.debian.org/pmhahn/grub/tree/signing3>

My current problem is that I wanted to test the full chain: self-signed
certificates, shim, grub, Linux kernel. It uses Qemu/KVM using OVMF with
SecureBoot.
I've attached my shell script which works on my Laptop only, as my GIT
repositories are located in many places, but maybe it's useful for other
to get started.

The good news: It works: It loads the signed SHIM and GRUB.

The bad news: GRUB still falls back to loading an unsigned Linux kernel.
I suspect
<https://salsa.debian.org/pmhahn/grub/commit/448311e7374076fbd53e4c8b0f92accd04e07920>
@Luca: Any idea?

This is on my TODO list for this week, but it's not the only one.

@Colin: Please have a look if the new branch is in a suitable shape for
your consumption. Please don't merge yet until the issue mentioned above
is resolved. Thanks.

Philipp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-it.sh
Type: application/x-sh
Size: 8571 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20180619/e5d044dd/attachment-0001.sh>

More information about the Pkg-grub-devel mailing list