On Thu, 20 Oct 2016 17:32:53 -0200 Helen Koike <helen.ko...@collabora.co.uk> wrote: > Hi, > > To be able to create grub2-signed package we need a monolithic version > of grub available, as grub doesn't know how verify the signatures of its > modules loaded from the disk, so we need a monolithic version containing > grub and all it's modules into a single image to be signed. Then > grub2-signed package can depend on the signature and on monolithic grub > package to be used when secure boot is enabled. > > So I was wondering it is would be ok to change the packages > grub-efi-....deb to create a monolithic version of grub or if it will be > preferable to create a grub-efi-monolithic....deb, or do you have any > other idea? > > Thanks > Helen Koike
Hi, In case any of this could be of use: a small patch to build additional monolithic EFI grub packages for amd64/arm64 can be found here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851994 and here's a grub2-signed source package that I derived from linux-signed: https://github.com/bluca/grub2-signed I've been successfully using these changes internally in our downstream rebuild at work. The other secure boot related grub patches are necessary as well (to enable the build in grub on platforms other than Ubuntu listed on #836140). I know on Debian DAK will do the signing from a tarball with the unsigned binaries rather than a package, but just in case a user or another downstream wants to self-sign I wanted to leave these here for reference. Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
