grub 2.12~rc1-4~ubuntu1~ppa1 is now available in the Ubuntu
development PPA for testing, signed with the PPA signing
key.
https://launchpad.net/~ubuntu-uefi-team/+archive/ubuntu/ppa/+packages
I have tested booting on my laptop and it's fine, but I've
specifically not gotten around to any arm64 or riscv64 testing
or PC BIOS for that matter. Well I booted a kernel in arm64
qemu.
To test on a secure boot enabled machine, you have two
options:
1. Enroll the signing key using
$ wget https://ppa.launchpadcontent.net/ubuntu-uefi-team/ppa/ubuntu/dists/mantic/main/uefi/grub2-amd64/2.12~rc1-4~ubuntu1~ppa1/control/uefi.crt
$ openssl x509 -in uefi.crt -out uefi.der -outform DER
$ sudo mokutil --import uefi.der
2. Just install it and enroll the specific binary by its hash. To
do so, at boot after you get a seucrity violation, MokManager
pops up and presents a menu.
Select to enroll a hash, and navigate to EFI/ubuntu/grubx64.efi
on your EFI system partition and enroll it.
I plan to do some more cleanup and release the -4 to Debian, and
have the final version go to mantic-proposed during the first half
of next week if signing works out and machines boot :)
Probably we'll then go tag it block-proposed for yet some more
time so we can do some more testing with signed binaries, but
have it in the archive to ease testing.
Known issues:
- Several UEFI networking patches have not yet been rebased to the
new APIs in 2.12. Sadly the patches were not merged upstream when
they were submitted :(
- Kernels older than 5.8 will not boot in full UEFI mode on
amd64, but use the legacy entry points used by BIOS.
This is because we are switching from the Red Hat loading
code to the upstream loading code in our effort to make bold
changes to be the first. OK realistically to get rid of a 20
patch stack and 3 separate loader implementations.
I have plans for a better workaround on x86, and the wonderful
Ard Biesheuvel has backported the EFI stub with LoadFile2 support
to the 5.4 kernel which we might want to pick for 20.04.
- Measurement changes may require followup changes to TPM
sealing calculations, but not sure there are any
- Software
- The GRUB_FLAVOUR_ORDER feature used by OEM images is not yet
supported. Support will be reinstated later this cycle to
early next cycle.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel