Univention Bugzilla – Bug 28191
UEFI Secure Boot Support
Last modified: 2014-11-26 06:55:01 CET
Zukünftig sollen unsignierte Bootloader nicht mehr gestartet werden können. UCS benötigt eine Unterstützung für UEFI Secure Boot.
http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source
Mit EFI Support im Installer ist der erste große Schritt gemacht. Sobald wir mehr Testhardware haben, sollten wir den Bootloader signieren und eine erste Test-DVD veröffentlichen. Das muss aber nicht zwingend zum 3.1 Release sein.
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
Current summary from DebConf wrt the plans in Debian: https://lists.debian.org/debian-kernel/2013/08/msg00267.html
shim-0.2 has been imported to SVN and manually built on UCS 3.2: - ucs-3.2-0/base/shim/ - copy ucs-3.2-0/base/shim/buildShim.sh to UCS 3.2++ instance - call buildShim.sh: buildShim.sh \ svn+ssh://USERNAME@billy:/var/svn/dev/branches/ucs-3.2/ucs-3.2-0/base/shim - the script prepares the local system for compilation and builds a shim binary - The Univention vendor certificate (univention-uefi-ca.cer) will be automatically compiled into the binary. See also https://hutten.knut.univention.de/mediawiki/index.php/UEFI
Still waiting for the signature from Microsoft ...
Moved to UCS 4.
It should be checked whether the patches are still needed: stefan@leka:~/11_wrk/svn/patches$ ls */3.2-0-0-ucs/*uefi* -d1 efitools/3.2-0-0-ucs/1.4.1-1-uefi efitools/3.2-0-0-ucs/1.4.1-1-uefi-secureboot-tools gnu-efi/3.2-0-0-ucs/3.0i-3-uefi gnu-efi/3.2-0-0-ucs/3.0s+debian-3-uefi gnu-efi/3.2-0-0-ucs/3.0s+debian-3-uefi-secureboot-tools openssl/3.2-0-0-ucs/1.0.1e-2-uefi openssl/3.2-0-0-ucs/1.0.1e-2-uefi-secureboot-tools sbsigntool/3.2-0-0-ucs/0.6-0ubuntu1-uefi sbsigntool/3.2-0-0-ucs/0.6-0ubuntu1-uefi-secureboot-tools
Microsoft changed its policy: http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx We need an EV certificate and we have to sign the complete chain. I've created several Bugs for this: - Bug #35914 - Shim update to 0.7 or higher - Bug #35915 - Shim signing key & tool - Bug #35916 - Sign kernel for UEFI Secure Boot - Bug #35917 - Sign grub for UEFI Secure Boot - Bug #35918 - Prepare UCS installer for UEFI Secure Boot Ticket #2014091221000208 → new certificate request
The DVD ucs_4.0-0-20141104-162347-dvd-amd64.iso has SecureBoot support.
OK, it works. I've added a changelog entry for this bug.
UCS 4.0-0 has been released: http://docs.univention.de/release-notes-4.0-0-en.html http://docs.univention.de/release-notes-4.0-0-de.html If this error occurs again, please use "Clone This Bug".