From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <f.gruenbichler@proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 443A991082 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 13:05:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1E58034FE9 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 13:05:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 13:05:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 421D8492F0 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 13:05:19 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> To: pve-devel@lists.proxmox.com Date: Fri, 26 Jan 2024 13:05:12 +0100 Message-Id: <20240126120512.415674-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.064 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> X-List-Received-Date: Fri, 26 Jan 2024 12:05:50 -0000 installing it at least gives the admin a heads up if our base Debian release is ever faster shipping a newer version of shim or Grub, which would look (something) like this: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following package was automatically installed and is no longer required: proxmox-grub Use 'sudo apt autoremove' to remove it. The following packages will be REMOVED: proxmox-secure-boot-support The following packages will be upgraded: shim-signed shim-signed-common 2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. it also allows us to pull in additional signed packages as they become available. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- it could also be "armed" similar to proxmox-ve, and require some special action before being removed.. but since the worst case is that the system fails to boot with SB enabled, which still should be possible to disable on all systems where PVE normally runs, that might be overkill.. Makefile | 4 +++- debian/control | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index dc06e40..fe71a42 100644 --- a/Makefile +++ b/Makefile @@ -4,11 +4,13 @@ GITVERSION:=$(shell git rev-parse HEAD) KERNEL_DEB=proxmox-default-kernel_$(DEB_VERSION)_all.deb HEADERS_DEB=proxmox-default-headers_$(DEB_VERSION)_all.deb +# amd64 only for now! else we need to generate d/control +SECUREBOOT_DEB=proxmox-secure-boot-support_$(DEB_VERSION)_amd64.deb BUILD_DIR=proxmox-kernel-meta_$(DEB_VERSION) DSC=proxmox-kernel-meta_$(DEB_VERSION).dsc -DEBS=$(KERNEL_DEB) $(HEADERS_DEB) +DEBS=$(KERNEL_DEB) $(HEADERS_DEB) $(SECUREBOOT_DEB) .PHONY: deb dsc deb: $(DEBS) diff --git a/debian/control b/debian/control index c4d909d..6e9e094 100644 --- a/debian/control +++ b/debian/control @@ -26,3 +26,18 @@ Depends: proxmox-kernel-6.5, Description: Default Proxmox Kernel Image This is a metapackage which will install the kernel image for the default Proxmox kernel series. + +Package: proxmox-secure-boot-support +Architecture: amd64 +Section: admin +Priority: optional +Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx1), + proxmox-grub (=2.06-13+pmx1), + shim-helpers-amd64-signed (= 1+15.7+1+pmx1), + shim-signed (= 1.39+pmx1+15.7-1+pmx1), + shim-unsigned (= 15.7-1+pmx1), +Description: Meta package pulling in signed Secure Boot related packages + This is a metapackage which will install and version-pin Proxmox variants of + the signed shim and Grub packages needed to support Secure Boot out of the box + on most systems. It only needs to be installed if Secure Boot support is + desired and no manual key enrollment is done. -- 2.39.2