summaryrefslogtreecommitdiff
path: root/manpages
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2018-02-27 19:28:33 +0000
committerLuca Boccassi <bluca@debian.org>2018-03-09 20:57:54 +0000
commit035518ff69a97fa5d3fa432e13c9593a9f459a4e (patch)
tree98d07bcaf0927518c0a3a78b87893a6c6955bf71 /manpages
parentac3ed23638cbc4b10059f9678283d08b4a082136 (diff)
downloadvyos-live-build-035518ff69a97fa5d3fa432e13c9593a9f459a4e.tar.gz
vyos-live-build-035518ff69a97fa5d3fa432e13c9593a9f459a4e.zip
UEFI: add support for Secure Boot on amd64 and arm64
Support for UEFI Secure Boot is modelled after how it currently works in Ubuntu and on how it is going to work on Debian. A minimal bootloader, shim, is used as the first-stage and it then loads grub. Both have to be signed. shim-signed is already available in Debian so the filenames are already established, and the grub2 repository and packaging is common between the 2 distros so we can already be reasonably sure of what it is going to be. So if both are available, copy /usr/lib/shim/shim[x64|aa64].efi.signed as boot[x64|aa64].efi so that UEFI loads it first, and copy /usr/lib/grub/[x86_64|arm64]-efi-signed/grub[x64|aa64].efi.signed as grub[x64|aa64].efi. This grub2 EFI monolithic image is currently hard-coded in grub2's repository to look for a config file in efi/debian, so make a copy of the previously added minimal grub.cfg that loads the real one in that directory in both the fat32 and ISO 9660 partitions. The new option --uefi-secure-boot can be set to auto (default, enable or disable. In auto, the lack of the signed EFI binaries is intentionally left as a soft failure - live-build will simply fallback to using the locally generated non-signed grub2 monolithic EFI binary as the only bootloader. Given the difficulties surrounding the Secure Boot signing infrastructure this approach gives the most flexibility and makes sure things will "just work" once the packages are available, without the need to change anything in the configuration. This will also greatly help downstream distributions and users who want to do self-signing. The enable or disable options work as expected. Closes: #821084
Diffstat (limited to 'manpages')
-rw-r--r--manpages/en/lb_config.14
1 files changed, 4 insertions, 0 deletions
diff --git a/manpages/en/lb_config.1 b/manpages/en/lb_config.1
index 750a6f2fd..c90f85de3 100644
--- a/manpages/en/lb_config.1
+++ b/manpages/en/lb_config.1
@@ -215,6 +215,8 @@
.br
[\fB\-\-templates\fR \fIPATH\fR]
.br
+ [\fB\-\-uefi\-secure\-boot\fR \fIauto|enable|disable\fR]
+.br
[\fB\-\-hdd\-size \fIMB\fR]
.br
[\fB\-\-updates\fR true|false]
@@ -454,6 +456,8 @@ defines what size in megabytes the swap file should be, if one is to be created.
selects which program is used to install tasks. By default, this is set to tasksel.
.IP "\fB\-\-templates\fR \fIPATH\fR" 4
sets the path to the templates that live\-build is going to use, e.g. for bootloaders. By default, this is set to /usr/share/live/build/templates/.
+.IP "\fB\-\-uefi\-secure\-boot\fR \fIauto|enable|disable\fR" 4
+enables or disables Secure Boot support when using grub-efi, by installing signed shim and grub-efi packages. By default, this is set to auto, which means if the packages are available they will be installed, but if not only a warning will be printed and the normal non-signed grub-efi will be used.
.IP "\fB\-\-hdd\-size\fR MB" 4
defines what size the hdd image should be. Note that although the default is set to 10000 (= 10GB), it will not need 10GB space on your harddisk as the files are created as sparse files.
.IP "\fB\-\-updates\fR true|false" 4