UEFI Secure Boot - GRUB WIP report
Luca Boccassi
bluca at debian.org
Tue Jun 19 15:38:18 BST 2018
On Tue, 2018-06-19 at 11:00 +0200, Philipp Hahn wrote:
> Hello,
>
> Am 19.06.2018 um 10:25 schrieb Colin Watson:
> > On Tue, Jun 19, 2018 at 07:50:15AM +0900, Hideki Yamane wrote:
> > > Just a ping question, is there any progress for grub2 package?
> > > If not, what's the blocker for it?
> >
> > I had an email conversation with Philipp Hahn about this. The main
> > substance of my reply was:
> >
> > I can't easily review this as it stands because it's just so
> > different
> > from how I manage the master branch. Could you please rebase
> > this onto
> > the master branch of the repository above? Furthermore, could
> > you make
> > sure to use git-dpm any time you're manipulating patches against
> > upstream (i.e. anything outside debian/)? You should never need
> > to edit
> > quilt metadata in the grub2 packaging directly. Let me know if
> > you need
> > help using git-dpm that isn't answered by the docs - I'm happy to
> > advise.
> >
> > Once it's in a suitable shape, I'd be happy to review by way of a
> > merge
> > request on salsa.
> >
> > I haven't yet heard back, so I assume it's taking Philipp a while
> > to
> > sort out the rebase ...
>
> I just worked on it yesterday and have pushed my new WIP branch to
> salsa
> just now: <https://salsa.debian.org/pmhahn/grub/tree/signing3>
>
> My current problem is that I wanted to test the full chain: self-
> signed
> certificates, shim, grub, Linux kernel. It uses Qemu/KVM using OVMF
> with
> SecureBoot.
> I've attached my shell script which works on my Laptop only, as my
> GIT
> repositories are located in many places, but maybe it's useful for
> other
> to get started.
>
> The good news: It works: It loads the signed SHIM and GRUB.
>
> The bad news: GRUB still falls back to loading an unsigned Linux
> kernel.
> I suspect
> <https://salsa.debian.org/pmhahn/grub/commit/448311e7374076fbd53e4c8b
> 0f92accd04e07920>
> @Luca: Any idea?
>
> This is on my TODO list for this week, but it's not the only one.
Hi,
Strange - I have tested running with that patch for a long time, and it
does fail to load if the kernel is not signed with an expected key.
Just tried again to confirm, and it's still the case, as far as I can
see.
I really can't find my way around git-dpm though, I find it a bit
confusing, being used to gbp - could there be an issue with the quilt
patch?
I have attached the debdiff of the grub build I use, here's the
.debian.tar.xz:
https://download.opensuse.org/repositories/home:/bluca:/debian_secure_boot/Debian9/grub2_2.02+dfsg1-5.1.debian.tar.xz
Any chance a fully built image could be uploaded $somewhere to test?
Otherwise I'll try to build one with your script as soon as I have a
moment.
I use OBS to build&sign everything, if you want to check what I run
here's a live-bootable ISO without a signed kernel that fails to boot
and goes back to grub after printing "error: /live/$FOO has invalid
signature.":
https://download.opensuse.org/repositories/home:/bluca:/debian_secure_boot/img_nokernel/iso/standard_20180619T1255-amd64-Build37.1.hybrid.iso
Here's one with a signed kernel that boots fine and shows "Kernel is
locked down from EFI secure boot" in the kernel log:
https://download.opensuse.org/repositories/home:/bluca:/debian_secure_boot/img/iso/standard_20180611T1201-amd64-Build37.17.hybrid.iso
To get the certificate to load in qemu:
wget https://build.opensuse.org/projects/home:bluca:debian_secure_boot/ssl_certificate -O- | openssl x509 -inform pem -outform der -out obs.der
> @Colin: Please have a look if the new branch is in a suitable shape
> for
> your consumption. Please don't merge yet until the issue mentioned
> above
> is resolved. Thanks.
>
> Philipp
Incidentally, any chance the couple of commits that you merged
yesterday into your signing branch could be included as well? Would you
like me to re-send the MRs to the new branch?
Thanks!
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grub.debdiff
Type: text/x-patch
Size: 83509 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20180619/abca9173/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20180619/abca9173/attachment-0001.sig>
More information about the Pkg-grub-devel
mailing list