| alkisg | Hi, in http://archive.ubuntu.com/ubuntu/dists/devel/main/uefi/ I can find grubx64.efi/vmlinuz and others, but not shimx64.efi, that would allow me to secure boot them. | 06:53 |
|---|---|---|
| alkisg | Is there any URL to download shimx64.efi, other than https://packages.ubuntu.com/disco/amd64/shim/download ? | 06:53 |
| rbasak | What's wrong with the shim package? | 07:00 |
| rbasak | That's where shimx64.efi is shipped. | 07:00 |
| rbasak | What's the problem you're trying to solve? | 07:00 |
| alkisg | rbasak: I assume that those grub*.efi files are directly linkable for people that want to netboot their machines etc; but I can't secure-netboot without the shim package | 07:05 |
| alkisg | Specifically, I'm trying to create an uefi-boot.sh script, that will automate the creation of an uefi-boot.zip file, that windows users will be able to unzip into their EFI partitions,... | 07:06 |
| alkisg | ...to do: UEFI > shim > grub > netboot/local boot | 07:06 |
| rbasak | I see. I don't know then, sorry. | 07:07 |
| alkisg | No worries, thank you | 07:07 |
| alkisg | A related question, is Ubuntu's shim the same as Fedora's shim? Or are they 2 different packages with the same name and with the same purpose? I got confused while searching for their upstreams... | 07:08 |
| rbasak | https://git.launchpad.net/ubuntu/+source/shim/tree/debian/watch?h=applied/ubuntu/devel | 07:22 |
| rbasak | The upstream is https://github.com/mjg59/shim | 07:23 |
| rbasak | According to the watch file at least. | 07:23 |
| alkisg | ...which is 301 commits behind rhboot:master, according to github | 07:24 |
| alkisg | https://github.com/rhboot/shim/ | 07:24 |
| alkisg | I think the watch file isn't up to date | 07:26 |
| rbasak | https://git.launchpad.net/ubuntu/+source/shim/tree/debian/changelog?h=applied/ubuntu/devel suggests commit 3beb971 was used. Can you find which upstream repositories include that? | 07:35 |
| alkisg | Sure, it's there: https://github.com/rhboot/shim/commit/3beb971b10659cf78144ddc5eeea83501384440c | 07:42 |
| alkisg | rhboot is "Red Hat Bootloader Team" | 07:43 |
| alkisg | I think Ubuntu ended up using shim from Fedora; I'm not sure if that means that an UEFI user can have both Ubuntu and Fedora in his system. | 07:45 |
| alkisg | I.e. if Ubuntu's shimx64.efi is loaded, that would prohibit loading Fedora's grub; and the opposite. Unless, Canonical and Redhat agreed to include both Canonical and Redhat keys in shim... | 07:46 |
| * alkisg only sees canonical-uefi-ca.der and debian-uefi-ca.der in the debian/ folder... | 07:51 | |
| alkisg | Refind seems to include common distro keys... https://sourceforge.net/p/refind/code/ci/master/tree/keys/ | 07:55 |
| alkisg | OK, I found great documentation at https://www.rodsbooks.com/efi-bootloaders/secureboot.html#using_signed | 08:09 |
| xnox | rbasak, alkisg - well ubuntu shim is different from upstream. | 08:21 |
| alkisg | xnox: I'm having an issue with Ubuntu's shim, and upstream says it's fixed since 2017, but the fix isn't there in disco. How much different? | 08:22 |
| xnox | alkisg, you can use ubuntu's shim + ubuntu's grub to boot non-ubuntu systems | 08:22 |
| xnox | alkisg, open a bug report in launchpad, aginst the shim package | 08:22 |
| alkisg | xnox: how? Say for example I want to boot ipxe.efi with secure boot enabled. I don't see any way for it. | 08:22 |
| alkisg | xnox: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1813541 | 08:23 |
| ubottu | Launchpad bug 1813541 in shim (Ubuntu) "Shim uses wrong TFTP server IP in proxyDHCP mode" [Undecided,New] | 08:23 |
| xnox | alkisg, for starters we compile and get microsoft to sign our build of shim =) | 08:23 |
| alkisg | I got that part; what I don't understand is how it's possible to load another distro then, using the ubuntu shim | 08:23 |
| alkisg | From what I read so far, only if the grub ubuntu build contained all the distro keys, it would be possible to load other distros | 08:24 |
| xnox | alkisg, you mention it is fixed upstream.... can you paste the links to upstream git commits? (whatever you think the upstream is) | 08:24 |
| alkisg | xnox: this is my upstream bug report, the fix is mentioned in the last comments: https://github.com/rhboot/shim/issues/165 | 08:25 |
| alkisg | Specifically, it's this commit from 2017: https://github.com/rhboot/shim/commit/5f4fd5364109c80934b7837255ddde61f572fd69 | 08:25 |
| xnox | alkisg, ..... comment on the launchpad bug pointers to upstream commit ids | 08:26 |
| xnox | alkisg, cause you didn't mention these there.... | 08:26 |
| alkisg | I think the fix is already included in disco, just not working | 08:26 |
| alkisg | You're saying shim is different, do you mean that for some reason it would omit commits from 2017? | 08:26 |
| xnox | alkisg, please comment the urls nonetheless, please | 08:26 |
| alkisg | Sure, np there | 08:26 |
| alkisg | Could you please explain this? (10:23:56 πμ) alkisg: I got that part; what I don't understand is how it's possible to load another distro then, using the ubuntu shim | 08:27 |
| alkisg | Let's suppose I want to load Ubuntu's ipxe.efi, with secure boot enabled. Currently I can't do it. | 08:27 |
| alkisg | UEFI > shim > grub > ipxe.efi | 08:27 |
| alkisg | Grub refuses to load it | 08:28 |
| xnox | alkisg, i haven't done that using ipxe, i have done secureboot booting of other systems locally (dual boot) | 08:28 |
| alkisg | How? | 08:28 |
| alkisg | Did you add the keys to the firmware using mokmanager? | 08:28 |
| alkisg | For completeness, this is my report for grub-ipxe/uefi, where vorlon mentioned it won't be possible with secure boot: | 08:33 |
| alkisg | https://bugs.launchpad.net/ubuntu/+source/ipxe/+bug/1811496 | 08:33 |
| ubottu | Launchpad bug 1811496 in ipxe (Ubuntu) "Make grub-ipxe work under UEFI" [Medium,New] | 08:34 |
| alkisg | (and I wonder why it's not possible to just sign ipxe.efi in the same way as vmlinuz is signed, with the canonical key, not the microsoft key) | 08:34 |
| alkisg | Btw, to ensure I'm not misunderstood, what I mainly care about is to allow users to netboot ubuntu; ipxe is extremely convenient there in most of the cases but it currently doesn't work under uefi (a one liner change) nor with secureboot (harder to fix) | 08:51 |
| seb128 | https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814355 | 10:11 |
| ubottu | Launchpad bug 1814355 in snapd (Ubuntu) "snapd remove /usr/local/bin from the PATH for all systemd unit (bionic SRU regression)" [High,Confirmed] | 10:11 |
| seb128 | that seems a potential problem in the LTS due a SRU release on friday | 10:11 |
| seb128 | !SRU | 10:12 |
| ubottu | Stable Release Update information is at https://wiki.ubuntu.com/StableReleaseUpdates | 10:12 |
| seb128 | unsure what's the tag to ping peoples | 10:12 |
| tumbleweed | Laney: you suggested a bileto for bootstrapping, but I think I need some permissions for that? | 11:21 |
| tumbleweed | https://bileto.ubuntu.com/#/ticket/3625 didn't get given a PPA | 11:21 |
| ahasenack | Skuggen: hi, do you know if {my_,}load_defaults is gone from mysql8? I'm checking net-snmp and it looks like it's using mysql_options() as a replacement of some sort | 15:37 |
| ahasenack | infinity: hi, do you remember this apache2 patch? https://git.launchpad.net/ubuntu/+source/apache2/tree/debian/patches/086_svn_cross_compiles | 15:54 |
| ahasenack | infinity: I see it applied in apache trunk, but it never made it into a release | 15:54 |
| ahasenack | infinity: what was it trying to fix, and is that still relevant? | 15:54 |
| ahasenack | it still applies, but with more and more offset everytime, and is part of our delta with debian | 15:55 |
| === Fauxdem is now known as Faux | ||
| vorlon | alkisg: it is /possible/ to sign the ipxe uefi binary. But we're not /going/ to, because it increases exposure of our key to use it to sign more code, and we haven't audited this code and don't intend to | 19:21 |
| alkisg | vorlon: thank you for that input. Ubuntu users lack a way to netboot with secure boot enabled currently; it would help; but ok, at least I have an official answer for them, "not supported; disable secure boot". | 19:23 |
| vorlon | alkisg: we do publish a secureboot-signed grubnetx64.efi for use with netbooting | 19:24 |
| alkisg | At least, if grub and shim get fixed for proxydhcp, it'll be possible to use the uefi stack, for some users | 19:24 |
| alkisg | It doesn't work with proxydhcp | 19:24 |
| vorlon | right | 19:24 |
| vorlon | so that's a bug we'll fix in our supported netboot stack | 19:24 |
| alkisg | I filed 2 bug reports, both for shim and grub; hopefully they'll be addressed some time in the future | 19:25 |
| alkisg | You saw the one for shim, this is the upstream one for grub: https://savannah.gnu.org/bugs/index.php?55636 | 19:26 |
| alkisg | vorlon: did I understand correctly that it's not possible to dual boot ubuntu/fedora with secure boot enabled, without using mokmanager etc? | 19:28 |
| alkisg | I.e. that the canonical shim>grub stack doesn't contain the fedora kernel public keys, and visa-versa? | 19:29 |
| alkisg | (I'm not using fedora at all; just trying to see if I understood the secure boot process correctly...) | 19:29 |
| vorlon | alkisg: it is certainly possible to dual boot ubuntu and other OSes without using mokmanager; you could chain from Ubuntu's GRUB to a Fedora shim signed by MS, or you could use the EFI boot menu to select. You could not directly chain from Ubuntu GRUB to a Fedora kernel or to a Fedora GRUB. | 22:24 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!