Bug#821055: live builds will need UEFI Secure Boot changes

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#821055: live builds will need UEFI Secure Boot changes

Steve McIntyre
Package: live-wrapper
Severity: important
Control: block 820036 with -1

When we get live builds going again with UEFI support, we'll need to
add support for Secure Boot too. This is a tracking bug - modify and
update as appropriate.

--
Steve McIntyre, Cambridge, UK.                                [hidden email]
"Every time you use Tcl, God kills a kitten." -- Malcolm Ray

Reply | Threaded
Open this post in threaded view
|

Bug#821055: Secure Boot support in live-wrapper

Ben Hutchings-3
Since vmdebootstrap is no longer developed, bug #821088 will not be
fixed there, but perhaps Secure Boot will be supportable using vmdb2.

If vmdb2 allows its users to specify which package(s) to install as
boot loaders, then I don't think it needs to do anything specific to
support Secure Boot.

If vmdb2 has specific logic for installing grub2, #821088 should be
reassigned to vmdb2.

Ben.

--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#821088: Secure Boot support in live-wrapper

Lars Wirzenius-5
On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
> Since vmdebootstrap is no longer developed, bug #821088 will not be
> fixed there, but perhaps Secure Boot will be supportable using vmdb2.
>
> If vmdb2 allows its users to specify which package(s) to install as
> boot loaders, then I don't think it needs to do anything specific to
> support Secure Boot.
>
> If vmdb2 has specific logic for installing grub2, #821088 should be
> reassigned to vmdb2.

I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
Secure Boot. I've never used SB, don't know much about it, I fear touching
the grub-related parts of vmdb2, and I'm afraid I'm unlikely to have time
or energy to learn in the next few months. I'm not even sure I have
hardware on which I could test SB. However, I'm happy to accept patches.

The grub installation in vmdb2 is done by this module:

http://git.liw.fi/vmdb2/tree/vmdb/plugins/grub_plugin.py

Kernel installation is typically done by this module:

http://git.liw.fi/vmdb2/tree/vmdb/plugins/apt_plugin.py

This is a .vmdb file for a PC with UEFI (I've not tested it recently, but
it used to work):

http://git.liw.fi/vmdb2/tree/uefi.vmdb

I'm happy to guide whoever works on this at the correct parts of vmdb2, and
to answer questions about it, but I can't promise to do much more than
that, sorry.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#821055: Bug#821088: Secure Boot support in live-wrapper

Ben Hutchings-3
On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote:

> On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
> > Since vmdebootstrap is no longer developed, bug #821088 will not be
> > fixed there, but perhaps Secure Boot will be supportable using vmdb2.
> >
> > If vmdb2 allows its users to specify which package(s) to install as
> > boot loaders, then I don't think it needs to do anything specific to
> > support Secure Boot.
> >
> > If vmdb2 has specific logic for installing grub2, #821088 should be
> > reassigned to vmdb2.
>
> I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
> Secure Boot.
As I understand it, you would need to install grub-efi-$ARCH-signed and
shim-signed, instead of grub-efi-$ARCH.

> I've never used SB, don't know much about it, I fear touching
> the grub-related parts of vmdb2, and I'm afraid I'm unlikely to have time
> or energy to learn in the next few months. I'm not even sure I have
> hardware on which I could test SB. However, I'm happy to accept patches.
>
> The grub installation in vmdb2 is done by this module:
>
> http://git.liw.fi/vmdb2/tree/vmdb/plugins/grub_plugin.py

Would this behaviour be overridable by a user such as live-wrapper?

> Kernel installation is typically done by this module:
>
> http://git.liw.fi/vmdb2/tree/vmdb/plugins/apt_plugin.py

This shouldn't need to change.  The usual linux-image-* packages will
include signed code (but will be built from a different source
package).

Ben.

> This is a .vmdb file for a PC with UEFI (I've not tested it recently, but
> it used to work):
>
> http://git.liw.fi/vmdb2/tree/uefi.vmdb
>
> I'm happy to guide whoever works on this at the correct parts of vmdb2, and
> to answer questions about it, but I can't promise to do much more than
> that, sorry.
>
--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#821055: Bug#821088: Secure Boot support in live-wrapper

Lars Wirzenius-5
On Fri, 2018-08-03 at 23:03 +0800, Ben Hutchings wrote:

> On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote:
> > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
> > > Since vmdebootstrap is no longer developed, bug #821088 will not be
> > > fixed there, but perhaps Secure Boot will be supportable using vmdb2.
> > >
> > > If vmdb2 allows its users to specify which package(s) to install as
> > > boot loaders, then I don't think it needs to do anything specific to
> > > support Secure Boot.
> > >
> > > If vmdb2 has specific logic for installing grub2, #821088 should be
> > > reassigned to vmdb2.
> >
> > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
> > Secure Boot.
>
> As I understand it, you would need to install grub-efi-$ARCH-signed and
> shim-signed, instead of grub-efi-$ARCH.
That would be easy enough to do. I'm thinking the uefi could gain a third
flavor (currently "bios" and "uefi": "uefi-secure-boot". The difference
with the "uefi" flavour would be packages installed. That would be an easy
to patch to make (but I have no idea how I'd test it).


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#821055: Bug#821088: Secure Boot support in live-wrapper

Ben Hutchings-3
On Fri, 2018-08-03 at 18:12 +0300, Lars Wirzenius wrote:

> On Fri, 2018-08-03 at 23:03 +0800, Ben Hutchings wrote:
> > On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote:
> > > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
> > > > Since vmdebootstrap is no longer developed, bug #821088 will not be
> > > > fixed there, but perhaps Secure Boot will be supportable using vmdb2.
> > > >
> > > > If vmdb2 allows its users to specify which package(s) to install as
> > > > boot loaders, then I don't think it needs to do anything specific to
> > > > support Secure Boot.
> > > >
> > > > If vmdb2 has specific logic for installing grub2, #821088 should be
> > > > reassigned to vmdb2.
> > >
> > > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
> > > Secure Boot.
> >
> > As I understand it, you would need to install grub-efi-$ARCH-signed and
> > shim-signed, instead of grub-efi-$ARCH.
>
> That would be easy enough to do. I'm thinking the uefi could gain a third
> flavor (currently "bios" and "uefi": "uefi-secure-boot". The difference
> with the "uefi" flavour would be packages installed. That would be an easy
> to patch to make (but I have no idea how I'd test it).
You can use QEMU and OVMF as a Secure Boot test system:
https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html
I'm not sure where you should get the Microsoft CA certificate from
though.

grub-efi-amd64-signed is *not* yet in the archive, though shim-signed
is.

Ben.

--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#821088: Bug#821055: Bug#821088: Secure Boot support in live-wrapper

Steve McIntyre
Closing old bug - our live media builds have working SB support.

I found that the UEFI setup we're using is all driven by live-wrapper
rather than the code in vmdebootstrap, which made life much easier.

As vmdebootstrap is basically moribund, probably worth closing 821088
too?

On Fri, Aug 03, 2018 at 11:32:16PM +0800, Ben Hutchings wrote:

>On Fri, 2018-08-03 at 18:12 +0300, Lars Wirzenius wrote:
>> On Fri, 2018-08-03 at 23:03 +0800, Ben Hutchings wrote:
>> > On Fri, 2018-08-03 at 17:50 +0300, Lars Wirzenius wrote:
>> > > On Fri, 2018-08-03 at 21:56 +0800, Ben Hutchings wrote:
>> > > > Since vmdebootstrap is no longer developed, bug #821088 will not be
>> > > > fixed there, but perhaps Secure Boot will be supportable using vmdb2.
>> > > >
>> > > > If vmdb2 allows its users to specify which package(s) to install as
>> > > > boot loaders, then I don't think it needs to do anything specific to
>> > > > support Secure Boot.
>> > > >
>> > > > If vmdb2 has specific logic for installing grub2, #821088 should be
>> > > > reassigned to vmdb2.
>> > >
>> > > I'm afraid I have no idea what's needed, if anything, for vmdb2 to support
>> > > Secure Boot.
>> >
>> > As I understand it, you would need to install grub-efi-$ARCH-signed and
>> > shim-signed, instead of grub-efi-$ARCH.
>>
>> That would be easy enough to do. I'm thinking the uefi could gain a third
>> flavor (currently "bios" and "uefi": "uefi-secure-boot". The difference
>> with the "uefi" flavour would be packages installed. That would be an easy
>> to patch to make (but I have no idea how I'd test it).
>
>You can use QEMU and OVMF as a Secure Boot test system:
>https://www.decadent.org.uk/ben/blog/experiments-with-signed-kernels-and-modules-in-debian.html
>I'm not sure where you should get the Microsoft CA certificate from
>though.
>
>grub-efi-amd64-signed is *not* yet in the archive, though shim-signed
>is.
>
>Ben.
>
>--
>Ben Hutchings
>For every complex problem
>there is a solution that is simple, neat, and wrong.


--
Steve McIntyre, Cambridge, UK.                                [hidden email]
Into the distance, a ribbon of black
Stretched to the point of no turning back