[pve-devel] [RFC kernel-meta] add proxmox-secure-boot-support package

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Feb 5 12:45:34 CET 2024

On February 2, 2024 7:23 pm, Thomas Lamprecht wrote:
> Am 26/01/2024 um 13:05 schrieb Fabian Grünbichler:
>> installing it at least gives the admin a heads up if our base Debian release is
>> ever faster shipping a newer version of shim or Grub, which would look
>> (something) like this:
>>  Reading package lists... Done
>>  Building dependency tree... Done
>>  Reading state information... Done
>>  The following package was automatically installed and is no longer required:
>>    proxmox-grub
>>  Use 'sudo apt autoremove' to remove it.
>>  The following packages will be REMOVED:
>>    proxmox-secure-boot-support
>>  The following packages will be upgraded:
>>    shim-signed shim-signed-common
>>  2 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
>> it also allows us to pull in additional signed packages as they become
>> available.
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
>> ---
>> it could also be "armed" similar to proxmox-ve, and require some special action
>> before being removed.. but since the worst case is that the system fails to
>> boot with SB enabled, which still should be possible to disable on all systems
>> where PVE normally runs, that might be overkill..
> seems OK w.r.t. change, but do we want this to be either part of the shim,
> or a separate repo? So that we do not need to ship a new kernel meta package
> when the shim version pinning needs an update? As it feels a bit unrelated
> to the kernel meta package in general to me.

well, it needs to be updated when either grub or shim have a security
update (or on major releases of course), so there's not really one place
to fit it. we could have a separate repo (or refactor this one to
contain two source packages, but that's fairly ugly as well) - that
would obviously work as well.

More information about the pve-devel mailing list