-
Notifications
You must be signed in to change notification settings - Fork 11
Boot failure on Debian 10 #6
Comments
Patch submitted to Debian maintainer of grub package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906124#55 |
Still no updates it looks like? Would it be possible for us to use the package from Debian 9 in the meantime? |
Hello, Debian grub2 package developers stopped responding any attempts to fix that. I think it's much easier to apply patch from this thread to Debian 10 package source. Even if package will be overwritten by upcoming grub package updates, grub binary installed by linux-secureboot-kit will be unaffected. Process should look like this:
|
Thanks for the info. Perhaps it wouldn't be a bad idea on Debian to forego trying to fix grub and just bypass it entirely using a single signed EFI that combines kernel and initramfs. I believe this is one such example: https://gist.github.com/zaxebo1/a17577390512bdea35a00d111dac8aa2 |
Made a thing to get around this limitation if you (or anyone else) were interested: https://github.com/noahbliss/mortar |
@noahbliss Thanks! That looks like a step up solution since it uses metered boot and TPM. |
Hey @Snawoot I'm back. Any chance you could give me a hand with using the db cert/key to sign modules with DKMS/other method in mortar? With many distros starting to enforce lockdown mode with kernel 5.4+ this is becoming more of a priority for me to implement. Otherwise I may browse your code for inspiration if that's cool. |
Hi! Sure! It's possible to add signing hook into DKMS with
Here is DKMS config override which is installed for each DKMS module into /etc/dkms/. Here is what it does:
This "config" file contains nothing specific to linux-secureboot-kit project except path to db cert/key. It's in lines 81, 87, 92. You may use this hook right away in your project. And there is another script which is responsible for installation of DKMS hooks. It just enumerates all modules installed via DKMS and symlinks DKMS config override with hook into /etc/dkms. I think only constant you need to modify in it is location of installed DKMS hook file (which was discussed above). So, I think everything is ready and you may just add these files into your project with minor modifications. If you'll have questions or need further assistance you may reach me directly:
|
Dang! Solid info. I'll give it some cycles and see where I land, thanks a ton! |
Centos 8 backported ugly linux-efi bugs from debian as well, so lsbk is unusable on it too. |
GRUB fails to validate kernel signature due to Debian bug introduced by Debian patches to grub. I'm seeking for a way to workaround it.
The text was updated successfully, but these errors were encountered: