[pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

[pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

[Fabian Grünbichler]

installing it at least gives the admin a heads up if our base Debian release is
ever faster shipping a newer version of shim or Grub, which would look
(something) like this:

 Reading package lists... Done
 Building dependency tree... Done
 Reading state information... Done
 The following package was automatically installed and is no longer required:
   proxmox-grub
 Use 'sudo apt autoremove' to remove it.
 The following packages will be REMOVED:
   proxmox-secure-boot-support
 The following packages will be upgraded:
   shim-signed shim-signed-common
 2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.

it also allows us to pull in additional signed packages as they become
available.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
it could also be "armed" similar to proxmox-ve, and require some special action
before being removed.. but since the worst case is that the system fails to
boot with SB enabled, which still should be possible to disable on all systems
where PVE normally runs, that might be overkill..

 Makefile       |  4 +++-
 debian/control | 15 +++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index dc06e40..fe71a42 100644
--- a/Makefile
+++ b/Makefile
@@ -4,11 +4,13 @@ GITVERSION:=$(shell git rev-parse HEAD)
 
 KERNEL_DEB=proxmox-default-kernel_$(DEB_VERSION)_all.deb
 HEADERS_DEB=proxmox-default-headers_$(DEB_VERSION)_all.deb
+# amd64 only for now! else we need to generate d/control
+SECUREBOOT_DEB=proxmox-secure-boot-support_$(DEB_VERSION)_amd64.deb
 
 BUILD_DIR=proxmox-kernel-meta_$(DEB_VERSION)
 DSC=proxmox-kernel-meta_$(DEB_VERSION).dsc
 
-DEBS=$(KERNEL_DEB) $(HEADERS_DEB)
+DEBS=$(KERNEL_DEB) $(HEADERS_DEB) $(SECUREBOOT_DEB)
 
 .PHONY: deb dsc
 deb: $(DEBS)
diff --git a/debian/control b/debian/control
index c4d909d..6e9e094 100644
--- a/debian/control
+++ b/debian/control
@@ -26,3 +26,18 @@ Depends: proxmox-kernel-6.5,
 Description: Default Proxmox Kernel Image
  This is a metapackage which will install the kernel image for the default
  Proxmox kernel series.
+
+Package: proxmox-secure-boot-support
+Architecture: amd64
+Section: admin
+Priority: optional
+Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx1),
+         proxmox-grub (=2.06-13+pmx1),
+         shim-helpers-amd64-signed (= 1+15.7+1+pmx1),
+         shim-signed (= 1.39+pmx1+15.7-1+pmx1),
+         shim-unsigned (= 15.7-1+pmx1),
+Description: Meta package pulling in signed Secure Boot related packages
+ This is a metapackage which will install and version-pin Proxmox variants of
+ the signed shim and Grub packages needed to support Secure Boot out of the box
+ on most systems. It only needs to be installed if Secure Boot support is
+ desired and no manual key enrollment is done.
-- 
2.39.2

Re: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

[Thomas Lamprecht]

Am 26/01/2024 um 13:05 schrieb Fabian Grünbichler:
> installing it at least gives the admin a heads up if our base Debian release is
> ever faster shipping a newer version of shim or Grub, which would look
> (something) like this:
> 
>  Reading package lists... Done
>  Building dependency tree... Done
>  Reading state information... Done
>  The following package was automatically installed and is no longer required:
>    proxmox-grub
>  Use 'sudo apt autoremove' to remove it.
>  The following packages will be REMOVED:
>    proxmox-secure-boot-support
>  The following packages will be upgraded:
>    shim-signed shim-signed-common
>  2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
> 
> it also allows us to pull in additional signed packages as they become
> available.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> it could also be "armed" similar to proxmox-ve, and require some special action
> before being removed.. but since the worst case is that the system fails to
> boot with SB enabled, which still should be possible to disable on all systems
> where PVE normally runs, that might be overkill..


seems OK w.r.t. change, but do we want this to be either part of the shim,
or a separate repo? So that we do not need to ship a new kernel meta package
when the shim version pinning needs an update? As it feels a bit unrelated
to the kernel meta package in general to me.

Re: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

[Fabian Grünbichler]

On February 2, 2024 7:23 pm, Thomas Lamprecht wrote:
> Am 26/01/2024 um 13:05 schrieb Fabian Grünbichler:
>> installing it at least gives the admin a heads up if our base Debian release is
>> ever faster shipping a newer version of shim or Grub, which would look
>> (something) like this:
>> 
>>  Reading package lists... Done
>>  Building dependency tree... Done
>>  Reading state information... Done
>>  The following package was automatically installed and is no longer required:
>>    proxmox-grub
>>  Use 'sudo apt autoremove' to remove it.
>>  The following packages will be REMOVED:
>>    proxmox-secure-boot-support
>>  The following packages will be upgraded:
>>    shim-signed shim-signed-common
>>  2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
>> 
>> it also allows us to pull in additional signed packages as they become
>> available.
>> 
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
>> ---
>> it could also be "armed" similar to proxmox-ve, and require some special action
>> before being removed.. but since the worst case is that the system fails to
>> boot with SB enabled, which still should be possible to disable on all systems
>> where PVE normally runs, that might be overkill..
> 
> 
> seems OK w.r.t. change, but do we want this to be either part of the shim,
> or a separate repo? So that we do not need to ship a new kernel meta package
> when the shim version pinning needs an update? As it feels a bit unrelated
> to the kernel meta package in general to me.

well, it needs to be updated when either grub or shim have a security
update (or on major releases of course), so there's not really one place
to fit it. we could have a separate repo (or refactor this one to
contain two source packages, but that's fairly ugly as well) - that
would obviously work as well.

Re: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

[Thomas Lamprecht]

Am 05/02/2024 um 12:45 schrieb Fabian Grünbichler:
> On February 2, 2024 7:23 pm, Thomas Lamprecht wrote:
>> seems OK w.r.t. change, but do we want this to be either part of the shim,
>> or a separate repo? So that we do not need to ship a new kernel meta package
>> when the shim version pinning needs an update? As it feels a bit unrelated
>> to the kernel meta package in general to me.
> 
> well, it needs to be updated when either grub or shim have a security
> update (or on major releases of course), so there's not really one place
> to fit it. we could have a separate repo (or refactor this one to
> contain two source packages, but that's fairly ugly as well) - that
> would obviously work as well.
> 

Then I'd prefer an extra repo, until now we basically pulled out any
such only tangentially related package out from the source package it
was added to, as there basically no time that a single change will
affect both, and I really do not like that churn – while not a biggie
it just is unnecessary churn, which I'm really not a fan of (and thus
highly probably want to rip this out sooner or later anyway).

Re: [pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

[Fabian Grünbichler]

On February 6, 2024 10:40 am, Thomas Lamprecht wrote:
> Am 05/02/2024 um 12:45 schrieb Fabian Grünbichler:
>> On February 2, 2024 7:23 pm, Thomas Lamprecht wrote:
>>> seems OK w.r.t. change, but do we want this to be either part of the shim,
>>> or a separate repo? So that we do not need to ship a new kernel meta package
>>> when the shim version pinning needs an update? As it feels a bit unrelated
>>> to the kernel meta package in general to me.
>> 
>> well, it needs to be updated when either grub or shim have a security
>> update (or on major releases of course), so there's not really one place
>> to fit it. we could have a separate repo (or refactor this one to
>> contain two source packages, but that's fairly ugly as well) - that
>> would obviously work as well.
>> 
> 
> Then I'd prefer an extra repo, until now we basically pulled out any
> such only tangentially related package out from the source package it
> was added to, as there basically no time that a single change will
> affect both, and I really do not like that churn – while not a biggie
> it just is unnecessary churn, which I'm really not a fan of (and thus
> highly probably want to rip this out sooner or later anyway).

this is done now, see https://git.proxmox.com/?p=proxmox-secure-boot-support.git;a=summary