From: Michael Prokop <mika@grml.org>
Date: Fri, 10 Feb 2023 14:42:25 +0000 (+0100)
Subject: Secure Boot: update grub and shim binaries
X-Git-Tag: v0.43.1~7
X-Git-Url: http://git.grml.org/?p=grml-live.git;a=commitdiff_plain;h=721a4734446cf9e1dd9b4e4c1360c22821b86986

Secure Boot: update grub and shim binaries

Quoting János Pásztor from https://github.com/grml/grml-live/pull/129:

  After 581da7443c68c362a7677c905ab5c63eb23c5b73 and using the `debian`
  style secure boot grml will not start on machines with secure boot
  enabled, but fails with a `signature verification error`

  After some investigation it turned out that we hit
  https://bugs.debian.org/925550 with our boot binaries.

  I have updated them from debian and managed to boot with them
  properly.

While at it, switch from http://ftp.de.debian.org/ to
https://deb.debian.org/ which has proper SSL certificate available.

Thanks: János Pásztor <model87@freemail.hu> for bugreport and PR
---

diff --git a/templates/EFI/debian/BOOT/README b/templates/EFI/debian/BOOT/README
index 5334582..32e2d3c 100644
--- a/templates/EFI/debian/BOOT/README
+++ b/templates/EFI/debian/BOOT/README
@@ -1,6 +1,6 @@
 # debian approach:
-shimx64.efi.signed = /usr/lib/shim/shimx64.efi.signed                  from http://ftp.de.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.33+15+1533136590.3beb971-7_amd64.deb
-grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed from http://ftp.de.debian.org/debian/pool/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u2_amd64.deb
+shimx64.efi.signed = /usr/lib/shim/shimx64.efi.signed                  from https://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_1.38+15.4-7_amd64.deb
+grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed from https://deb.debian.org/debian/pool/main/g/grub-efi-amd64-signed/grub-efi-amd64-signed_1+2.06+7_amd64.deb
 # NOTE:
 # shimx64.efi.signed ends up as /EFI/BOOT/bootx64.efi inside [grml_cd]/boot/efi.img, and
 # grubx64.efi.signed ends up as /EFI/BOOT/grubx64.efi inside [grml_cd]/boot/efi.img, whereas
diff --git a/templates/EFI/debian/BOOT/grubx64.efi.signed b/templates/EFI/debian/BOOT/grubx64.efi.signed
index 0f82e38..c87eb6f 100644
Binary files a/templates/EFI/debian/BOOT/grubx64.efi.signed and b/templates/EFI/debian/BOOT/grubx64.efi.signed differ
diff --git a/templates/EFI/debian/BOOT/shimx64.efi.signed b/templates/EFI/debian/BOOT/shimx64.efi.signed
index 131ca45..dcd8b50 100644
Binary files a/templates/EFI/debian/BOOT/shimx64.efi.signed and b/templates/EFI/debian/BOOT/shimx64.efi.signed differ