eduble
commented
3 years ago Hello, Currently no. I am not familiar with secureboot procedure, so a contribution on this would be very welcome.
Debootstick images are able to boot on UEFI and BIOS systems, and they allow patterns where other systems will not work. For instance, the following scenario would work: 1) boot image on a BIOS system 2) apply software updates, including kernel 3) boot image on a UEFI system
Official images fail at step 2, because boot files are read-only (and not handled by the package manager); whereas the OS installed on a debootstick image is installed the same way as it would be installed on a disk. And a trick is used to allow booting on both UEFI and BIOS (because you cannot install both UEFI and BIOS grub packages on the same OS, they conflict).
It works as follows:
- for BIOS: the boot procedure is very standard since grub-pc package is installed inside the image
- for UEFI: a grub standalone UEFI image was generated in the EFI partition. When booted, this image looks for file /boot/grub/grub.cfg on the OS partition, and runs it.
This allows to share the configuration file managed by grub-pc package to both boot methods (thus to boot an updated kernel for instance).
Since secureboot is tied to UEFI booting, I wonder if it would not be possible to reverse this trick: install UEFI grub package in OS (instead of grub-pc), with added files to allow secureboot; and have a static BIOS grub installation which would load /boot/grub/grub.cfg on the OS partition).
can debootstick be used to generate images which will boot successfully with secureboot enabled bios? i am particularly interested using this for debian bullseye images.