|
Ticket: [[!tails_ticket 6560]]
|
|
Ticket: tails/tails#6560
|
|
|
|
|
|
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
[[!toc levels=2]]
|
|
|
|
|
|
|
|
# One possible plan
|
|
# One possible plan
|
|
|
|
|
... | @@ -14,19 +16,19 @@ We don't support booting on a custom built kernel, so that should be |
... | @@ -14,19 +16,19 @@ We don't support booting on a custom built kernel, so that should be |
|
relatively easy. Except:
|
|
relatively easy. Except:
|
|
|
|
|
|
* The kernel won't allow loading an unsigned `aufs` module so we need
|
|
* The kernel won't allow loading an unsigned `aufs` module so we need
|
|
to migrate to `overlayfs` ([[!tails_ticket 8415]]).
|
|
to migrate to `overlayfs` (tails/tails#8415).
|
|
* `overlayfs` does not allow stacking enough layers for our current
|
|
* `overlayfs` does not allow stacking enough layers for our current
|
|
upgrade system, so we need to [[!tails_ticket 15281 desc="stack one
|
|
upgrade system, so we need to stack one
|
|
single SquashFS diff when upgrading"]].
|
|
single SquashFS diff when upgrading (tails/tails#15281).
|
|
|
|
|
|
Resources
|
|
Resources
|
|
=========
|
|
=========
|
|
|
|
|
|
* Debian's [[!debwiki SecureBoot desc="Secure Boot support"]] will be
|
|
* Debian's [Secure Boot support](https://wiki.debian.org/SecureBoot) will be
|
|
done for GRUB first, unclear if other bootloaders will be supported
|
|
done for GRUB first, unclear if other bootloaders will be supported
|
|
- tracker bug: [[!debbug 820036]]
|
|
- tracker bug: [Debian bug #820036](https://bugs.debian.org/820036)
|
|
- shim is [[!debpts shim-signed desc="in Debian"]] (signed by the
|
|
- shim is [in Debian](https://tracker.debian.org/pkg/shim%2Dsigned) (signed by the
|
|
Microsoft UEFI CA) but grub2-signed is not ([[!debbug 820050 desc="RFP bug"]]).
|
|
Microsoft UEFI CA) but grub2-signed is not ([RFP bug](https://bugs.debian.org/820050)).
|
|
* How other distros do it:
|
|
* How other distros do it:
|
|
- [Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot)
|
|
- [Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot)
|
|
- [ArchLinux](https://wiki.archlinux.org/index.php/Secure_Boot)
|
|
- [ArchLinux](https://wiki.archlinux.org/index.php/Secure_Boot)
|
... | @@ -60,7 +62,7 @@ Automated testing |
... | @@ -60,7 +62,7 @@ Automated testing |
|
|
|
|
|
* The hard(est) part seems to be about how to enroll the signing keys
|
|
* The hard(est) part seems to be about how to enroll the signing keys
|
|
into the nvram file.
|
|
into the nvram file.
|
|
- [[!debpkg ovmf]] 0.0~20200229-2 installs a "ms" firmware
|
|
- [ovmf](http://packages.debian.org/ovmf) 0.0~20200229-2 installs a "ms" firmware
|
|
descriptor, "which has keys pre-enrolled and Secure Boot enabled".
|
|
descriptor, "which has keys pre-enrolled and Secure Boot enabled".
|
|
E.g. in the package there's `/usr/share/OVMF/OVMF_VARS.ms.fd`
|
|
E.g. in the package there's `/usr/share/OVMF/OVMF_VARS.ms.fd`
|
|
and `/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json`.
|
|
and `/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json`.
|
... | @@ -72,3 +74,4 @@ Automated testing |
... | @@ -72,3 +74,4 @@ Automated testing |
|
* <https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm>
|
|
* <https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm>
|
|
* <https://fedoraproject.org/wiki/Using_UEFI_with_QEMU#Testing_Secureboot_in_a_VM>
|
|
* <https://fedoraproject.org/wiki/Using_UEFI_with_QEMU#Testing_Secureboot_in_a_VM>
|
|
* <https://github.com/puiterwijk/qemu-ovmf-secureboot>
|
|
* <https://github.com/puiterwijk/qemu-ovmf-secureboot>
|
|
|
|
|