Page MenuHomeSolus
Differential D13867

clr-boot-manager: Switch to shim-systemd-boot for secure boot support
ClosedPublic
Actions

Authored by joebonrichie on Dec 15 2022, 1:08 PM.
Tags
None
Referenced Files
F11021338: D13867.id33836.diff
Mon, Aug 7, 1:46 PM
F11018370: D13867.id33835.diff
Sun, Aug 6, 11:34 AM
F10952542: D13867.id34465.diff
Sun, Jul 16, 5:03 PM
F10951840: D13867.id33884.diff
Sun, Jul 16, 1:47 PM
F10951839: D13867.id33913.diff
Sun, Jul 16, 1:46 PM
F10951838: D13867.id33907.diff
Sun, Jul 16, 1:46 PM
F10951837: D13867.id33847.diff
Sun, Jul 16, 1:46 PM
F10951337: D13867.id.diff
Sun, Jul 16, 11:10 AM
View All 33 Files
Subscribers
None

Details

Reviewers
None
Group Reviewers
Triage Team
Commits
R3347:f9a9d4baf741: clr-boot-manager: Switch to shim-systemd-boot for secure boot support
Summary

Switch to shim-systemd-boot for secure boot support. After installing this update and running clr-boot-manager update,
clr-boot-manager will auto setup shim & systemd-boot and create a new UEFI boot entry called 'Solus Linux Bootloader'
which should be able to be booted from with Secure Boot enabled after performing the one step time of enrolling the
solus certificate from the Mok Management screen.

Test Plan
  • Install this package and reboot WITHOUT running clr-boot-manager update
  • If a kernel update is available: Install the kernel update and reboot
  • If no kernel update is available: Run clr-boot-manager update and reboot
  • Attempt to boot from the old UEFI entry
  • Attempt to boot from the new 'Solus Linux Bootloader' UEFI entry
  • Reboot and enable secure boot, enroll default keys if neccessary
  • If your UEFI firmware provides such an option: Set the 'Image Execution Policy' to 'Deny Execute' upon secure boot violation (names may vary).
  • Attempt to boot from the old UEFI entry (should fail with secure boot violation)
  • Attempt to boot from the new 'Solus Linux Bootloader' entry
  • This should launch Mok Manager with a warning about a security violation. Press enter to continue then choose 'Enroll Key from Disk'. Enroll 'SOLUSESP/solus-enroll-me.cer'.
  • Reboot, and you should successfully boot.

Diff Detail

Repository
R3347 clr-boot-manager
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

joebonrichie created this revision.Dec 15 2022, 1:08 PM
Herald added a reviewer: Triage Team. · View Herald TranscriptDec 15 2022, 1:08 PM
joebonrichie requested review of this revision.Dec 15 2022, 1:08 PM
Harbormaster completed remote builds in B4727: Diff 33835.Dec 15 2022, 1:08 PM
joebonrichie updated this revision to Diff 33836.Dec 15 2022, 1:12 PM
joebonrichie edited the test plan for this revision. (Show Details)

Fix typo in testing

Harbormaster completed remote builds in B4728: Diff 33836.Dec 15 2022, 1:12 PM
joebonrichie updated this revision to Diff 33837.Dec 15 2022, 2:14 PM
joebonrichie edited the summary of this revision. (Show Details)
joebonrichie edited the test plan for this revision. (Show Details)

Auto-copy the MOK to the ESP

Harbormaster completed remote builds in B4729: Diff 33837.Dec 15 2022, 2:14 PM
joebonrichie updated this revision to Diff 33839.Dec 15 2022, 9:13 PM

Add missing rundep for shim-signed

Harbormaster completed remote builds in B4730: Diff 33839.Dec 15 2022, 9:13 PM
joebonrichie planned changes to this revision.Dec 16 2022, 5:54 PM

There is a bug where mmx64.efi doesn't get copied into the ESP. Seen it happen twice now.

joebonrichie updated this revision to Diff 33846.Dec 16 2022, 6:13 PM

Ensure mmx64.efi is copied over to the ESP as well

Harbormaster completed remote builds in B4734: Diff 33846.Dec 16 2022, 6:13 PM
joebonrichie updated this revision to Diff 33847.Dec 16 2022, 6:15 PM
joebonrichie edited the test plan for this revision. (Show Details)

Update test plan

Harbormaster completed remote builds in B4735: Diff 33847.Dec 16 2022, 6:15 PM
joebonrichie updated this revision to Diff 33880.Dec 22 2022, 8:50 AM
joebonrichie edited the summary of this revision. (Show Details)
joebonrichie edited the test plan for this revision. (Show Details)
  • Rebase ontop of D13505
  • Use American English spelling of 'Enroll' consistently
Harbormaster completed remote builds in B4755: Diff 33880.Dec 22 2022, 8:50 AM
joebonrichie mentioned this in T10457: Solus Secure Boot Support.Dec 22 2022, 9:39 AM
joebonrichie updated this revision to Diff 33884.Dec 25 2022, 9:23 AM

Rebase ontop of master

Harbormaster completed remote builds in B4758: Diff 33884.Dec 25 2022, 9:23 AM
joebonrichie updated this revision to Diff 33907.Dec 26 2022, 9:24 PM
joebonrichie edited the summary of this revision. (Show Details)

Signed kernels are now available

Harbormaster completed remote builds in B4772: Diff 33907.Dec 26 2022, 9:24 PM
joebonrichie updated this revision to Diff 33913.Dec 28 2022, 3:20 PM
joebonrichie edited the summary of this revision. (Show Details)

Testing new arcanist version...

Harbormaster completed remote builds in B4776: Diff 33913.Dec 28 2022, 3:20 PM
This revision was not accepted when it landed; it landed in state Needs Review.May 21 2023, 5:25 PM
Closed by commit R3347:f9a9d4baf741: clr-boot-manager: Switch to shim-systemd-boot for secure boot support (authored by joebonrichie). · Explain Why
This revision was automatically updated to reflect the committed changes.
joebonrichie added a commit: R3347:f9a9d4baf741: clr-boot-manager: Switch to shim-systemd-boot for secure boot support.

Revision Contents
Changeset List

Diff 34465

View Options

abi_used_libs

Loading...
View Options

abi_used_symbols

Loading...
View Options

files/0001-Update-paths-for-presigned-shim.patch

Loading...
View Options

files/0002-shim-systemd-Copy-the-vendor-s-MOK-to-the-ESP.patch

Loading...
View Options

files/0003-shim-systemd-Copy-over-mok-management-as-well-mmx64..patch

Loading...
View Options

files/series

Loading...
View Options

package.yml

Loading...
View Options

pspec_x86_64.xml

Loading...
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.