Use GRUB for USB boot on EFI 64-bit
We need this for Secure Boot (#6560) and it'll simplify quite a few parts of our code.
Making a Tails USB image boot with GRUB is straightforward but we need to:
- Find another way to identify the boot device in our partitioning script:
git grep -E 'FSUUID|sysappend'
- Ensure this does not break stuff on
legacy BIOS boot, 32-bit EFI, nor DVD boot
- Update our test suite accordingly: it currently expects the syslinux UI
- Update our documentation about editing the kernel command line accordingly
- Update our design doc accordingly
- Until Debian's shim-signed is signed by Microsoft, this will only
work after enrolling the Debian test signing key:
- Until we switch to overlayfs, this won't boot as the out-of-tree
aufs module is not signed and the kernel will thus refuse loading
it when Secure Boot is enabled (#8415).
- No signed EFI binaries for ia32: shim-signed is only built
for amd64 at the moment. Besides, grub-efi-ia32-signed is only
available in the i386 Debian archive (which could be solved
using APT's multiarch support).
This is out of scope for this project.
- Our design doc is outdated.
- The GRUB menu may be less user-friendly than the previous syslinux
- No background image in the GRUB menu; however, note that we had to disable
the background image for syslinux in UEFI mode since it broke the bootloader
on some hardware.
- Our test suite relies on syslinux (images, keystrokes).
- Subject changed from Use GRUB for USB boot to Use GRUB for USB boot on EFI 64-bit
- Description updated (diff)
- Feature Branch set to wip/feature/6560-secure-boot
Clarifying the scope of this ticket; got a PoC that boots fine, documenting the next steps in the ticket description.