Bug#919067: Please add a Recommends: on shim-signed

Steve McIntyre steve at einval.com
Sat Jan 12 12:58:52 GMT 2019 

Package: grub-efi-amd64-signed
Version: 1+2.02+dfsg1+9
Severity: normal
Tags: patch

Hi!

Working through the last pieces of secure boot support for Buster, I
have a working installer build and a working netinst that boot with SB
enabled and do all the right things. Yay!

The're only one thing missing from my test installations - nothing is
causing shim-signed to be installed automatically. So I have an
installation that succeeds, but the UEFI firmware will then refuse to
boot it afterward due to the lack of a signed first-stage bootloader.

The following trivial patch should fix that:

diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
index cb84e96c6..5bb726ff9 100644
--- a/debian/signing-template/control.in
+++ b/debian/signing-template/control.in
@@ -11,6 +11,7 @@ Rules-Requires-Root: no
 
 Package: @pkg_signed@
 Architecture: @arch@
+Recommends: shim-signed [amd64]
 Built-Using: grub2 (= @version_binary@)
 Description: GRand Unified Bootloader, version 2 (@arch@ UEFI signed by Debian)
  GRUB is a portable, powerful bootloader.  This version of GRUB is based on a

[ Disclaimer: I've not *actually* tested the complete chain with this
  exact change, as that's hard to do with the signing pieces. However,
  this patch applies and builds fine in the grub2 source package, and
  I've built a modified grub-efi-amd64-signed binary package with the
  same Recommends: locally to test with. ]

I've gone for Recommends: rather than Depends to avoid any chance of a
Depends: loop. At the point when d-i or normal package installation is
running, Recommends: is enough to pull in the extra package.

NB: Ubuntu doesn't have the depends/recommends here, so I can only
assume that some other method is used to ensure that shim-signed is
installed there. I asked Steve Langasek about this, but I've not had
an answer yet.

-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Pkg-grub-devel mailing list