Debian Live images now include UEFI support

April 28, 2017 ~ hucktech ~ Leave a comment

Steve McIntyre gave an update on Debian official images to the debian-(cd, devel-announce,live,cloud) mailing lists. There’s a UEFI update on Debian Live images:
Live images – now including UEFI support

After a hiatus, weekly builds of live images for testing are now happening again. These cover amd64 and i386, and there is a separate image for each of the common desktop environments. Thanks to great work by Neil Williams, Iain Learmonth and Ana Custura on new tools (vmdebootstrap and live-wraper), these also include support for UEFI booting as a new feature. Please help test the images and give feedback:

http://get.debian.org/cdimage/weekly-live-builds/

See Steve’s message to the above-listed lists for the full post.

https://lists.debian.org/msgid-search/20170428012707.GJ28360@einval.com

Debian plans for UEFI Secure Boot

April 1, 2016 ~ hucktech ~ Leave a comment

Steve McIntyre of the Debian Project posted a message to the Debian-EFI list, with plans for getting Debian to support UEFI Secure Boot. A summary of the main steps:

1. Generate a key and an EV code-signing cert, submit to Microsoft
2. dak changes to support upload and signing of EFI executables
3. Prepare and upload a package of the ‘shim’ EFI boot loader
4. Updates for other core packages to add signed versions
* grub2
* linux
* fwupdate
* ???
5. Minor tweaks to other places to make use of the signed packages
* d-i
* debian-cd
* debian-live
* ???

Full status message and more information:
https://wiki.debian.org/SecureBoot
https://lists.debian.org/debian-efi/2016/04/msg00002.html

new resource: Broken UEFI Implementations wiki

August 13, 2015 ~ hucktech ~ Leave a comment

Watch this site to grow over time (and contribute to it, if you can help):
http://wiki.osdev.org/Broken_UEFI_implementations
http://wiki.osdev.org/index.php?title=Broken_UEFI_implementations&action=history

Apple, Lenovo, GIGABYTE: note that there’s some stuff about your products in the initial database.

As mentioned earlier:
https://firmwaresecurity.com/2015/08/05/debian-calls-for-uefi-packaging-help/
https://firmwaresecurity.com/2015/08/13/intel-update-on-debian-and-uefi/

Steve McIntyre of the Debian project is working with other open source OS developers to maintain a list of broken UEFI implementations, to help OS vendors:

“I’ve been talking to a number of other UEFI developers lately, and we’ve agreed to start a cross-distro resource to help here – a list of known-broken UEFI implementations so that we can share our experiences. The place for this in in the OSDev wiki at http://wiki.osdev.org/Broken_UEFI_implementations. We’re going to be adding new information here as we find it. If you’ve got a particular UEFI horror story on your own broken system, then please either add details there or let me know and I’ll try to do it for you.”

See Steve’s blog post for more information:
http://blog.einval.com/2015/08/02

Intel update on Debian and UEFI

August 13, 2015 ~ hucktech ~ Leave a comment

Yesterday Brian Richardson of Intel UEFI posted a new blog entry on 32-bit UEFI and Linux support, with specific information about Debian. It was NICE to see the Debian swirl as the icon on an Intel.com-hosted blog post! 🙂 I am sometimes concerned that UEFI Forum and Intel only think about UEFI Forum-member Linux OSVs (Canonical, RedHat, SuSE) when it comes to UEFI and Linux. It’s NICE to see Intel working with non-UEFI Forum members on UEFI issues, especially Debian!

Blog excerpt:

“Thanks to Steve McIntyre from the Debian team for pointing out my error. Steve’s also helping organize a repository for information on UEFI implementations that don’t play nice with Linux. I think this is a great idea, so check it out if you have any relevant info. I’ll share my tips for testing UEFI & Linux in an upcoming post, in case you want to contribute to their project.”

Brian@Intel’s full blog post:
http://blogs.intel.com/evangelists/2015/08/11/update-on-ia32-uefi-and-linux-support/

Steve@Debian’s blog post:
http://blog.einval.com/2015/08/02#intel_justifies_mixed_efi

This repo of Linux UEFI information sounds GREAT!. Amongst the things it tracks, I hope it tracks the various Secure Boot strengths that Linux distributions have:
https://firmwaresecurity.com/2015/07/17/secure-boot-strength-varies-by-linux-implementation/

Debian calls for UEFI packaging help

August 5, 2015 ~ hucktech ~ Leave a comment

Steve McIntyre of Debian posted a blog the other day, they’re doing more to help with UEFI in Debian. If you can help, this is the most upstream distribution…

http://blog.einval.com/2015/08/02#tracking_broken_UEFI_implementations

http://linux.softpedia.com/blog/debian-needs-your-help-to-improve-uefi-support-in-the-distribution-488512.shtml

I’m not good at packaging, but am currently learning. If you want to help with Debian packaging for CHIPSEC, please let me know, or join the thread on the CHIPSEC mailing list.

https://lists.01.org/pipermail/chipsec/2015-July/000001.html