In some sense, if my analysis is correct, the problem is caused by Shim
> "tightening the screws" on Secure Boot policy; however, those changes
> are done for a reason (to improve security), so the solution should be
> to ensure that the GRUB versions MAAS and curtin deploy perform the
> checks that Shim wants, and that the kernels we install are signed.
>
Curtin/MAAS will install the linux-image-generic kernel for the specific
release
unless otherwise specified by MAAS in their kernel config mapping.
If there is a specific kernel package that *should* be selected instead of
the linux-image-generic kernel then MAAS/Curtin need to know:
1) what is that package name
2) how to know when to use (1) instead of linux-image-generic
A quick search of apt-cache shows
linux-signed-image-< >
Which appears to be what we'd want to use in the Secure Boot path.
In one of the other bugs I believe I had asked how curtin or MAAS can
detect whether a platform is configured for SecureBoot, but I didn't see
a definitive answer.
Rod,
Thanks for the follow-up.
In some sense, if my analysis is correct, the problem is caused by Shim
> "tightening the screws" on Secure Boot policy; however, those changes
> are done for a reason (to improve security), so the solution should be
> to ensure that the GRUB versions MAAS and curtin deploy perform the
> checks that Shim wants, and that the kernels we install are signed.
>
Curtin/MAAS will install the linux-image-generic kernel for the specific
release
unless otherwise specified by MAAS in their kernel config mapping.
If there is a specific kernel package that *should* be selected instead of
the linux-image-generic kernel then MAAS/Curtin need to know:
1) what is that package name
2) how to know when to use (1) instead of linux-image-generic
A quick search of apt-cache shows
linux-signed- image-< >
Which appears to be what we'd want to use in the Secure Boot path.
In one of the other bugs I believe I had asked how curtin or MAAS can
detect whether a platform is configured for SecureBoot, but I didn't see
a definitive answer.