Project

General

Profile

Feature #15806

Use GRUB for USB boot on EFI 64-bit

Added by intrigeri about 1 year ago. Updated 4 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
08/18/2018
Due date:
% Done:

0%

Feature Branch:
wip/feature/6560-secure-boot
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We need this for Secure Boot (#6560) and it'll simplify quite a few parts of our code.

Making a Tails USB image boot with GRUB is straightforward but we need to:

  • Find another way to identify the boot device in our partitioning script: git grep -E 'FSUUID|sysappend'
  • Ensure this does not break stuff on legacy BIOS boot, 32-bit EFI, nor DVD boot
  • Update our test suite accordingly: it currently expects the syslinux UI
  • Update our documentation about editing the kernel command line accordingly
  • Update our design doc accordingly

Team: FT


Related issues

Related to Tails - Feature #7422: Do not duplicate syslinux on the ISO root filesystem Rejected 06/19/2014
Related to Tails - Feature #15292: Distribute a USB image Resolved 04/14/2016 01/29/2019
Related to Tails - Feature #12440: Drop GRUB for 32-bit (ia32) UEFI Rejected 04/12/2017
Related to Tails - Feature #12439: Unify the syslinux directory & config file name between ISO and installed USB stick Rejected 04/12/2017
Related to Tails - Bug #16229: Boot Loader Menu documentation does not support 32-bit UEFI Confirmed 12/17/2018
Blocks Tails - Feature #6560: UEFI Secure boot Confirmed 01/02/2014
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed 03/22/2019
Blocks Tails - Bug #16980: Increase size of random seed in the kernel command-line Confirmed

Associated revisions

Revision 69157449 (diff)
Added by intrigeri 4 months ago

Use GRUB with Secure Boot support for x86_64 (refs: #6560, #15806)

Known limitations:

- Until Debian's shim-signed is signed by Microsoft, this will only
work after enrolling the Debian test signing key:
https://wiki.debian.org/SecureBoot/Testing
- Until we switch to overlayfs, this won't boot as the out-of-tree
aufs module is not signed and the kernel will thus refuse loading
it when Secure Boot is enabled (#8415).
- No signed EFI binaries for ia32: shim-signed is only built
for amd64 at the moment. Besides, grub-efi-ia32-signed is only
available in the i386 Debian archive (which could be solved
using APT's multiarch support).
This is out of scope for this project.
- Our design doc is outdated.
- The GRUB menu may be less user-friendly than the previous syslinux
one.
- No background image in the GRUB menu; however, note that we had to disable
the background image for syslinux in UEFI mode since it broke the bootloader
on some hardware.
- Our test suite relies on syslinux (images, keystrokes).

History

#1 Updated by intrigeri about 1 year ago

#2 Updated by intrigeri about 1 year ago

  • Related to Feature #7422: Do not duplicate syslinux on the ISO root filesystem added

#3 Updated by intrigeri about 1 year ago

#4 Updated by intrigeri about 1 year ago

#5 Updated by intrigeri about 1 year ago

  • Related to Feature #12439: Unify the syslinux directory & config file name between ISO and installed USB stick added

#6 Updated by intrigeri 12 months ago

We won't do this as part of the USB Image project.

#7 Updated by intrigeri 11 months ago

  • Description updated (diff)
  • Target version set to 2019

#8 Updated by intrigeri 5 months ago

#9 Updated by intrigeri 4 months ago

  • Subject changed from Use GRUB for USB boot to Use GRUB for USB boot on EFI 64-bit
  • Description updated (diff)
  • Feature Branch set to wip/feature/6560-secure-boot

Clarifying the scope of this ticket; got a PoC that boots fine, documenting the next steps in the ticket description.

#10 Updated by intrigeri 4 months ago

  • Description updated (diff)

#11 Updated by intrigeri 4 months ago

  • Description updated (diff)

#12 Updated by intrigeri 4 months ago

  • Related to Bug #16229: Boot Loader Menu documentation does not support 32-bit UEFI added

#13 Updated by intrigeri 4 months ago

  • Status changed from Confirmed to In Progress

#14 Updated by intrigeri 4 months ago

  • Status changed from In Progress to Confirmed

#15 Updated by segfault 7 days ago

  • Blocks Bug #16980: Increase size of random seed in the kernel command-line added

Also available in: Atom PDF