[06:53] <alkisg> Hi, in http://archive.ubuntu.com/ubuntu/dists/devel/main/uefi/ I can find grubx64.efi/vmlinuz and others, but not shimx64.efi, that would allow me to secure boot them.
[06:53] <alkisg> Is there any URL to download shimx64.efi, other than https://packages.ubuntu.com/disco/amd64/shim/download ?
[07:00] <rbasak> What's wrong with the shim package?
[07:00] <rbasak> That's where shimx64.efi is shipped.
[07:00] <rbasak> What's the problem you're trying to solve?
[07:05] <alkisg> rbasak: I assume that those grub*.efi files are directly linkable for people that want to netboot their machines etc; but I can't secure-netboot without the shim package
[07:06] <alkisg> Specifically, I'm trying to create an uefi-boot.sh script, that will automate the creation of an uefi-boot.zip file, that windows users will be able to unzip into their EFI partitions,...
[07:06] <alkisg> ...to do: UEFI > shim > grub > netboot/local boot
[07:07] <rbasak> I see. I don't know then, sorry.
[07:07] <alkisg> No worries, thank you
[07:08] <alkisg> A related question, is Ubuntu's shim the same as Fedora's shim? Or are they 2 different packages with the same name and with the same purpose? I got confused while searching for their upstreams...
[07:22] <rbasak> https://git.launchpad.net/ubuntu/+source/shim/tree/debian/watch?h=applied/ubuntu/devel
[07:23] <rbasak> The upstream is https://github.com/mjg59/shim
[07:23] <rbasak> According to the watch file at least.
[07:24] <alkisg> ...which is 301 commits behind rhboot:master, according to github
[07:24] <alkisg> https://github.com/rhboot/shim/
[07:26] <alkisg> I think the watch file isn't up to date
[07:35] <rbasak> https://git.launchpad.net/ubuntu/+source/shim/tree/debian/changelog?h=applied/ubuntu/devel suggests commit 3beb971 was used. Can you find which upstream repositories include that?
[07:42] <alkisg> Sure, it's there: https://github.com/rhboot/shim/commit/3beb971b10659cf78144ddc5eeea83501384440c
[07:43] <alkisg> rhboot is "Red Hat Bootloader Team"
[07:45] <alkisg> I think Ubuntu ended up using shim from Fedora; I'm not sure if that means that an UEFI user can have both Ubuntu and Fedora in his system.
[07:46] <alkisg> I.e. if Ubuntu's shimx64.efi is loaded, that would prohibit loading Fedora's grub; and the opposite. Unless, Canonical and Redhat agreed to include both Canonical and Redhat keys in shim...
[07:51]  * alkisg only sees canonical-uefi-ca.der and debian-uefi-ca.der in the debian/ folder...
[07:55] <alkisg> Refind seems to include common distro keys... https://sourceforge.net/p/refind/code/ci/master/tree/keys/
[08:09] <alkisg> OK, I found great documentation at https://www.rodsbooks.com/efi-bootloaders/secureboot.html#using_signed
[08:21] <xnox> rbasak, alkisg - well ubuntu shim is different from upstream.
[08:22] <alkisg> xnox: I'm having an issue with Ubuntu's shim, and upstream says it's fixed since 2017, but the fix isn't there in disco. How much different?
[08:22] <xnox> alkisg, you can use ubuntu's shim + ubuntu's grub to boot non-ubuntu systems
[08:22] <xnox> alkisg, open a bug report in launchpad, aginst the shim package
[08:22] <alkisg> xnox: how? Say for example I want to boot ipxe.efi with secure boot enabled. I don't see any way for it.
[08:23] <alkisg> xnox: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1813541
[08:23] <xnox> alkisg, for starters we compile and get microsoft to sign our build of shim =)
[08:23] <alkisg> I got that part; what I don't understand is how it's possible to load another distro then, using the ubuntu shim
[08:24] <alkisg> From what I read so far, only if the grub ubuntu build contained all the distro keys, it would be possible to load other distros
[08:24] <xnox> alkisg, you mention it is fixed upstream.... can you paste the links to upstream git commits? (whatever you think the upstream is)
[08:25] <alkisg> xnox: this is my upstream bug report, the fix is mentioned in the last comments: https://github.com/rhboot/shim/issues/165
[08:25] <alkisg> Specifically, it's this commit from 2017: https://github.com/rhboot/shim/commit/5f4fd5364109c80934b7837255ddde61f572fd69
[08:26] <xnox> alkisg, ..... comment on the launchpad bug pointers to upstream commit ids
[08:26] <xnox> alkisg, cause you didn't mention these there....
[08:26] <alkisg> I think the fix is already included in disco, just not working
[08:26] <alkisg> You're saying shim is different, do you mean that for some reason it would omit commits from 2017?
[08:26] <xnox> alkisg, please comment the urls nonetheless, please
[08:26] <alkisg> Sure, np there
[08:27] <alkisg> Could you please explain this? (10:23:56 πμ) alkisg: I got that part; what I don't understand is how it's possible to load another distro then, using the ubuntu shim
[08:27] <alkisg> Let's suppose I want to load Ubuntu's ipxe.efi, with secure boot enabled. Currently I can't do it.
[08:27] <alkisg> UEFI > shim > grub > ipxe.efi
[08:28] <alkisg> Grub refuses to load it
[08:28] <xnox> alkisg, i haven't done that using ipxe, i have done secureboot booting of other systems locally (dual boot)
[08:28] <alkisg> How?
[08:28] <alkisg> Did you add the keys to the firmware using mokmanager?
[08:33] <alkisg> For completeness, this is my report for grub-ipxe/uefi, where vorlon mentioned it won't be possible with secure boot:
[08:33] <alkisg> https://bugs.launchpad.net/ubuntu/+source/ipxe/+bug/1811496
[08:34] <alkisg> (and I wonder why it's not possible to just sign ipxe.efi in the same way as vmlinuz is signed, with the canonical key, not the microsoft key)
[08:51] <alkisg> Btw, to ensure I'm not misunderstood, what I mainly care about is to allow users to netboot ubuntu; ipxe is extremely convenient there in most of the cases but it currently doesn't work under uefi (a one liner change) nor with secureboot (harder to fix)
[10:11] <seb128> https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1814355
[10:11] <seb128> that seems a potential problem in the LTS due a SRU release on friday
[10:12] <seb128> !SRU
[10:12] <seb128> unsure what's the tag to ping peoples
[11:21] <tumbleweed> Laney: you suggested a bileto for bootstrapping, but I think I need some permissions for that?
[11:21] <tumbleweed> https://bileto.ubuntu.com/#/ticket/3625 didn't get given a PPA
[15:37] <ahasenack> Skuggen: hi, do you know if {my_,}load_defaults is gone from mysql8? I'm checking net-snmp and it looks like it's using mysql_options() as a replacement of some sort
[15:54] <ahasenack> infinity: hi, do you remember this apache2 patch? https://git.launchpad.net/ubuntu/+source/apache2/tree/debian/patches/086_svn_cross_compiles
[15:54] <ahasenack> infinity: I see it applied in apache trunk, but it never made it into a release
[15:54] <ahasenack> infinity: what was it trying to fix, and is that still relevant?
[15:55] <ahasenack> it still applies, but with more and more offset everytime, and is part of our delta with debian
[19:21] <vorlon> alkisg: it is /possible/ to sign the ipxe uefi binary.  But we're not /going/ to, because it increases exposure of our key to use it to sign more code, and we haven't audited this code and don't intend to
[19:23] <alkisg> vorlon: thank you for that input. Ubuntu users lack a way to netboot with secure boot enabled currently; it would help; but ok, at least I have an official answer for them, "not supported; disable secure boot".
[19:24] <vorlon> alkisg: we do publish a secureboot-signed grubnetx64.efi for use with netbooting
[19:24] <alkisg> At least, if grub and shim get fixed for proxydhcp, it'll be possible to use the uefi stack, for some users
[19:24] <alkisg> It doesn't work with proxydhcp
[19:24] <vorlon> right
[19:24] <vorlon> so that's a bug we'll fix in our supported netboot stack
[19:25] <alkisg> I filed 2 bug reports, both for shim and grub; hopefully they'll be addressed some time in the future
[19:26] <alkisg> You saw the one for shim, this is the upstream one for grub: https://savannah.gnu.org/bugs/index.php?55636
[19:28] <alkisg> vorlon: did I understand correctly that it's not possible to dual boot ubuntu/fedora with secure boot enabled, without using mokmanager etc?
[19:29] <alkisg> I.e. that the canonical shim>grub stack doesn't contain the fedora kernel public keys, and visa-versa?
[19:29] <alkisg> (I'm not using fedora at all; just trying to see if I understood the secure boot process correctly...)
[22:24] <vorlon> alkisg: it is certainly possible to dual boot ubuntu and other OSes without using mokmanager; you could chain from Ubuntu's GRUB to a Fedora shim signed by MS, or you could use the EFI boot menu to select.  You could not directly chain from Ubuntu GRUB to a Fedora kernel or to a Fedora GRUB.