From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package
Date: Fri, 26 Jan 2024 13:05:12 +0100 [thread overview]
Message-ID: <20240126120512.415674-1-f.gruenbichler@proxmox.com> (raw)
installing it at least gives the admin a heads up if our base Debian release is
ever faster shipping a newer version of shim or Grub, which would look
(something) like this:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
proxmox-grub
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
proxmox-secure-boot-support
The following packages will be upgraded:
shim-signed shim-signed-common
2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
it also allows us to pull in additional signed packages as they become
available.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
it could also be "armed" similar to proxmox-ve, and require some special action
before being removed.. but since the worst case is that the system fails to
boot with SB enabled, which still should be possible to disable on all systems
where PVE normally runs, that might be overkill..
Makefile | 4 +++-
debian/control | 15 +++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index dc06e40..fe71a42 100644
--- a/Makefile
+++ b/Makefile
@@ -4,11 +4,13 @@ GITVERSION:=$(shell git rev-parse HEAD)
KERNEL_DEB=proxmox-default-kernel_$(DEB_VERSION)_all.deb
HEADERS_DEB=proxmox-default-headers_$(DEB_VERSION)_all.deb
+# amd64 only for now! else we need to generate d/control
+SECUREBOOT_DEB=proxmox-secure-boot-support_$(DEB_VERSION)_amd64.deb
BUILD_DIR=proxmox-kernel-meta_$(DEB_VERSION)
DSC=proxmox-kernel-meta_$(DEB_VERSION).dsc
-DEBS=$(KERNEL_DEB) $(HEADERS_DEB)
+DEBS=$(KERNEL_DEB) $(HEADERS_DEB) $(SECUREBOOT_DEB)
.PHONY: deb dsc
deb: $(DEBS)
diff --git a/debian/control b/debian/control
index c4d909d..6e9e094 100644
--- a/debian/control
+++ b/debian/control
@@ -26,3 +26,18 @@ Depends: proxmox-kernel-6.5,
Description: Default Proxmox Kernel Image
This is a metapackage which will install the kernel image for the default
Proxmox kernel series.
+
+Package: proxmox-secure-boot-support
+Architecture: amd64
+Section: admin
+Priority: optional
+Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx1),
+ proxmox-grub (=2.06-13+pmx1),
+ shim-helpers-amd64-signed (= 1+15.7+1+pmx1),
+ shim-signed (= 1.39+pmx1+15.7-1+pmx1),
+ shim-unsigned (= 15.7-1+pmx1),
+Description: Meta package pulling in signed Secure Boot related packages
+ This is a metapackage which will install and version-pin Proxmox variants of
+ the signed shim and Grub packages needed to support Secure Boot out of the box
+ on most systems. It only needs to be installed if Secure Boot support is
+ desired and no manual key enrollment is done.
--
2.39.2
next reply other threads:[~2024-01-26 12:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 12:05 Fabian Grünbichler [this message]
2024-02-02 18:23 ` Thomas Lamprecht
2024-02-05 11:45 ` Fabian Grünbichler
2024-02-06 9:40 ` Thomas Lamprecht
2024-04-11 11:45 ` Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240126120512.415674-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox