Cyril Brulebois <k...@debian.org> (2024-06-28): > I've just built a netboot-gtk mini.iso against unstable, including the > new kernel. A regular “almost all defaults” (except French to check > things like translations, keymap fun, etc.) install on UEFI gave an > overall successful installation according to d-i, but it doesn't boot: > > Verifying shim SBAT data failed: Security Policy Violation > > It's been a while since I last toyed with unstable, so I'm not sure > whether this is known already, where it's coming from, etc. Even when > built against unstable, d-i installs testing, so that shouldn't be > linked to the new Linux version running the installer, as what ends up > on disk is testing's version.
I tried to hack my way into reverting to the previous kernel, and merging testing's kernel udebs into an otherwise unstable repository and pointing d-i at it (much like I'm doing for (old)stable-proposed-updates and (old)stable for point release preps) but for some reason the mirror/udeb/http/hostname parameter pointing to it was seen on the kernel cmdline, passed to userspace, parsed into an env var, but wasn't used later on, leading to missing modules. Rebuilding the installer fully against testing, I'm able to replicate the SBAT issue. > This is the exact same test setup as for (old)stable point release > preps, with qemu/bookworm running on a bookworm system. > > kvm -m 1G -machine q35,smm=on -pflash /tmp/1/code.fd -pflash > /tmp/1/vars.fd -hda /tmp/1/sda.img > > with both pflash files initialized from those respectively: > > - /usr/share/OVMF/OVMF_CODE_4M.ms.fd > - /usr/share/OVMF/OVMF_VARS_4M.ms.fd All that is still true. > Wild guess: Maybe ovmf would need to ship refreshed files? I suppose this wouldn't explain everything as we're able to boot the installer, but not the installed system… Could this be something about version mismatches between shim in unstable and in testing instead? (Even wilder guesses, I'm totally off-base here.) > Can't investigate more right now, live stream and travel are next. I really should stop here. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
