manuel
/
live-build
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
live-build/scripts/build
History
Luca Boccassi 035518ff69 UEFI: add support for Secure Boot on amd64 and arm64 
Support for UEFI Secure Boot is modelled after how it currently works
in Ubuntu and on how it is going to work on Debian.
A minimal bootloader, shim, is used as the first-stage and it then
loads grub. Both have to be signed.
shim-signed is already available in Debian so the filenames are
already established, and the grub2 repository and packaging is common
between the 2 distros so we can already be reasonably sure of what it
is going to be.
So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed
as boot[x64|aa64].efi so that UEFI loads it first, and copy
/usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as
grub[x64|aa64].efi.
This grub2 EFI monolithic image is currently hard-coded in grub2's
repository to look for a config file in efi/debian, so make a copy
of the previously added minimal grub.cfg that loads the real one in
that directory in both the fat32 and ISO 9660 partitions.

The new option --uefi-secure-boot can be set to auto (default,
enable or disable.
In auto, the lack of the signed EFI binaries is intentionally left as a
soft failure - live-build will simply fallback to using the locally
generated non-signed grub2 monolithic EFI binary as the only
bootloader. Given the difficulties surrounding the Secure Boot
signing infrastructure this approach gives the most flexibility and
makes sure things will "just work" once the packages are available,
without the need to change anything in the configuration.
This will also greatly help downstream distributions and users who
want to do self-signing.
The enable or disable options work as expected.

Closes: #821084
 		2018-03-09 20:57:54 +00:00
..
binary Added EFI support by the means of grub-efi 2016-07-31 15:09:13 +02:00
binary_checksums Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
binary_chroot Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
binary_disk Getting rid of hard-coded release numbers and using /etc/os-release instead (Closes: #790860). 2015-08-10 21:31:21 +02:00
binary_grub-efi UEFI: add support for Secure Boot on amd64 and arm64 2018-03-09 20:57:54 +00:00
binary_grub-legacy Default for LB_UNION_FILESYSTEM is now "overlay" just like in live-boot. 2016-12-02 15:10:19 +01:00
binary_grub-pc Drop useless code in binary_grub-pc 2016-12-02 15:01:28 +01:00
binary_hdd Fix Check_package invocation in binary_hdd for ntfs-3g 2018-02-14 18:49:36 +01:00
binary_hooks Correcting execution of local binary hooks. 2015-06-05 22:28:50 +02:00
binary_includes Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
binary_iso Fix the way the .disk/mkisofs file is created 2017-11-20 22:20:53 +01:00
binary_linux-image Don't fail when initramfs is not used 2017-11-20 22:09:49 +01:00
binary_loadlin Check all dependencies independent of LB_BUILD_WITH_CHROOT 2017-09-01 10:22:09 +02:00
binary_loopback_cfg Failsafe entries rework at binary_loopback_cfg 2017-12-21 14:29:58 +01:00
binary_manifest Dropping automagics for casper. 2015-05-03 15:50:03 +02:00
binary_memtest Dropping automagics for casper. 2015-05-03 15:50:03 +02:00
binary_netboot Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
binary_package-lists Check all dependencies independent of LB_BUILD_WITH_CHROOT 2017-09-01 10:22:09 +02:00
binary_rootfs Run mksquashfs with nice -n 19 to not overload the system 2018-02-24 17:04:04 +01:00
binary_syslinux Check all dependencies independent of LB_BUILD_WITH_CHROOT 2017-09-01 10:22:09 +02:00
binary_tar Correcting wrong tar command for tarball images, thanks to Yadickson Soto <yadickson@gmail.com> (Closes: #780627). 2015-04-28 07:58:16 +02:00
binary_win32-loader Check all dependencies independent of LB_BUILD_WITH_CHROOT 2017-09-01 10:22:09 +02:00
binary_zsync Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
bootstrap Get rid of useless bootstrap_archive-keys script 2016-11-28 21:36:57 +01:00
bootstrap_archives Installing apt and dpkg updates (if any) first in derivatives mode, then doing dist-upgrade. 2015-05-23 12:42:16 +02:00
bootstrap_cache Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
bootstrap_debootstrap Simplify bootstrapping of foreign architectures with qemu-debootstrap 2018-02-24 17:52:44 +01:00
build Calling lb config in lb build to support building a all-default-image with a simple lb build (Closes: #778327). 2015-04-28 07:58:16 +02:00
chroot Dropping support for upstart. 2015-05-03 16:12:30 +02:00
chroot_apt Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_archives Fix build with local offline mirrors 2018-02-23 14:04:59 +00:00
chroot_cache Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_debianchroot Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_devpts Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_dpkg force link creation when diverting flash-kernel 2015-09-23 10:44:11 +02:00
chroot_firmware Removing temporary hack to exclude prism2-usb-firmware-installer, the download homepage seems to work again (Closes: #783433). 2015-04-27 07:50:52 +02:00
chroot_hacks Dropping automagics for casper. 2015-05-03 15:50:03 +02:00
chroot_hooks Fix check for presence of chroot hooks 2015-07-26 13:44:16 +02:00
chroot_hostname Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_hosts Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_includes Correcting typo in stagefile check for includes.chroot. 2015-01-25 10:27:26 +01:00
chroot_install-packages Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_interactive Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_linux-image Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_live-packages Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_package-lists Check all dependencies independent of LB_BUILD_WITH_CHROOT 2017-09-01 10:22:09 +02:00
chroot_preseed Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_proc Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_resolv Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_selinuxfs Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_sysfs Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_sysv-rc Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
chroot_tmpfs Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
clean Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
config UEFI: add support for Secure Boot on amd64 and arm64 2018-03-09 20:57:54 +00:00
efi-image Try to reuse /isolinux/splash.png in default grub configuration. 2016-11-28 20:58:18 +01:00
grub-cpmodules Stolen efi-image and grub-cpmodules from src:live-installer 2016-07-31 15:09:13 +02:00
installer Dropping support for upstart. 2015-05-03 16:12:30 +02:00
installer_debian-installer Switch d-i.debian.org URIs from http to https. 2016-05-26 21:58:03 +02:00
installer_preseed Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
source Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
source_checksums Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
source_debian Multi bootloader support 2015-08-29 23:56:41 +02:00
source_debian-live Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
source_disk Getting rid of hard-coded release numbers and using /etc/os-release instead (Closes: #790860). 2015-08-10 21:31:21 +02:00
source_hdd Disable EXT4 64bit features 2016-06-18 19:36:16 +02:00
source_hooks Correcting execution of local source hooks. 2015-06-05 22:29:47 +02:00
source_iso Set xorriso's "modification time" to SOURCE_DATE_EPOCH 2016-11-28 20:58:19 +01:00
source_live Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00
source_tar Updating year in copyright notices to 2015. 2015-01-04 20:05:44 +01:00