[pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Feb 5 12:45:34 CET 2024
On February 2, 2024 7:23 pm, Thomas Lamprecht wrote:
> Am 26/01/2024 um 13:05 schrieb Fabian Grünbichler:
>> installing it at least gives the admin a heads up if our base Debian release is
>> ever faster shipping a newer version of shim or Grub, which would look
>> (something) like this:
>>
>> Reading package lists... Done
>> Building dependency tree... Done
>> Reading state information... Done
>> The following package was automatically installed and is no longer required:
>> proxmox-grub
>> Use 'sudo apt autoremove' to remove it.
>> The following packages will be REMOVED:
>> proxmox-secure-boot-support
>> The following packages will be upgraded:
>> shim-signed shim-signed-common
>> 2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
>>
>> it also allows us to pull in additional signed packages as they become
>> available.
>>
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
>> ---
>> it could also be "armed" similar to proxmox-ve, and require some special action
>> before being removed.. but since the worst case is that the system fails to
>> boot with SB enabled, which still should be possible to disable on all systems
>> where PVE normally runs, that might be overkill..
>
>
> seems OK w.r.t. change, but do we want this to be either part of the shim,
> or a separate repo? So that we do not need to ship a new kernel meta package
> when the shim version pinning needs an update? As it feels a bit unrelated
> to the kernel meta package in general to me.
well, it needs to be updated when either grub or shim have a security
update (or on major releases of course), so there's not really one place
to fit it. we could have a separate repo (or refactor this one to
contain two source packages, but that's fairly ugly as well) - that
would obviously work as well.
More information about the pve-devel
mailing list