search

canonical / pc-gadget

The gadget snap for Personal Computers using 64bit Intel or AMD processors
GNU General Public License v3.0
31 stars 73 forks source link

Please provide dual-signed shim for UC20 1.0 #49

Closed xnox closed 4 years ago

xnox commented 4 years ago

Depends on https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1884566

jocado commented 4 years ago

Hi @xnox .

There seems to have been some initial work done on this, but it has broken the build. https://github.com/snapcore/pc-amd64-gadget/commit/78b67e078a5562b742e810af36bbba7522563e55 https://github.com/snapcore/pc-amd64-gadget/commit/dd56a209a0e0f58e487dc385de45172af2bffcd2

Build fails with:

cp /root/stage/usr/lib/shim/shimx64.efi.dualsigned shim.efi.signed
cp: cannot stat '/root/stage/usr/lib/shim/shimx64.efi.dualsigned': No such file or directory
make: *** [Makefile:67: all] Error 1
Failed to build 'grub'.

This seems to be because the version or shim-signed in 20.04 does not contain the dual-signed shim. It is only in the version for 20.10. http://changelogs.ubuntu.com/changelogs/pool/main/s/shim-signed/shim-signed_1.40.3/changelog http://changelogs.ubuntu.com/changelogs/pool/main/s/shim-signed/shim-signed_1.43/changelog

Is this expected ? Is there a way of working around this when doing a standard build with a multipass build environment ?

I'm doing some work on a custom variant of the snap, and I can always remove the dual-signed bit of the snap, but want to track non-custom bits from upstream as closely as possible.

Thanks!

xnox commented 4 years ago

Hi @xnox .

There seems to have been some initial work done on this, but it has broken the build. 78b67e0 dd56a20

Build fails with:

cp /root/stage/usr/lib/shim/shimx64.efi.dualsigned shim.efi.signed
cp: cannot stat '/root/stage/usr/lib/shim/shimx64.efi.dualsigned': No such file or directory
make: *** [Makefile:67: all] Error 1
Failed to build 'grub'.

This seems to be because the version or shim-signed in 20.04 does not contain the dual-signed shim. It is only in the version for 20.10. http://changelogs.ubuntu.com/changelogs/pool/main/s/shim-signed/shim-signed_1.40.3/changelog http://changelogs.ubuntu.com/changelogs/pool/main/s/shim-signed/shim-signed_1.43/changelog

Is this expected ? Is there a way of working around this when doing a standard build with a multipass build environment ?

I'm doing some work on a custom variant of the snap, and I can always remove the dual-signed bit of the snap, but want to track non-custom bits from upstream as closely as possible.

Thanks!

The gadget builds use https://code.launchpad.net/~canonical-foundations/+snap/pc-amd64-20 launchpad to build the snap. And you will notice that it uses UC20 staging PPA as the archive to build the snap in.

Thus things published in the UC20 staging PPA are avialable during the build.

There is experimental snapcraft syntax to encode repositories https://forum.snapcraft.io/t/call-for-testing-configurable-apt-repositories-in-snapcraft-yaml/15355 however, that is not yet generally available.

When that becomes generally available, I might be able to improve snapcraft.yaml such that it is buildable outside of launchpad too.

If you are forking gadget, I recommend you to use staged snaps functionality to stage shim/grub from the publish gadget in 20/stable track. Since you will not be able to rebuild/resign shim.

If on the other hand, you are doing a custom root of trust with custom kek/db keys, you may want to resign shim with your own db key.

xnox commented 4 years ago

dualsigned shim has been availalbe for a long time now, so this issue should have been closed a long time ago.