Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1038862: debian-installer: Doesn't work in UEFI mode with a unsigned GRUB (/boot/grub/fonts/unicode.pf2 not found)
52 views
Skip to first unread message
Arnaud Rebillout
Jun 22, 2023, 2:50:04 AM6/22/23
to
Package: debian-installer
Version: 20230607
Severity: normal
User: de...@kali.org
Usertags: origin-kali
Dear Maintainer,
This issue doesn't affect Debian (as Debian's installer images come with
a signed GRUB), but it affects Debian derivatives that use a unsigned
GRUB in their installer. In particular, it did break the Kali Linux
installer images a short while ago, cf.
https://gitlab.com/kalilinux/packages/debian-installer/-/issues/4
The cause of the issue is this commit:
https://salsa.debian.org/installer-team/debian-installer/-/commit/a4dc8c0f
In the change above, the GRUB font was changed from '$prefix/font.pf2'
to 'unicode'. However nothing was done to copy the unicode font at the
right location. It's not an issue for Debian, which uses a sigend GRUB,
ie. a big bundle that embeds everything needed, including this unicode
font.
However for derivatives that don't use Debian's signed GRUB (like Kali
Linux), what we get is a more "traditional" GRUB: a small binary, and
plenty of modules and other files that GRUB will load as need be. For
this unsigned GRUB, we must make sure that the unicode font is present
at the right location.
I propose the following fixes:
https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/35
to change the GRUB font from ascii.pf2 to unicode.pf2, and install it
under the fonts/ directory.
https://salsa.debian.org/images-team/debian-cd/-/merge_requests/32 so
that debian-cd tries to copy fonts from grub/*.pf2 and grub/fonts/.
Below comes a longer step-by-step procedure to repoduce the issue, if
anyone wants to check it by themselves.
~~~~
First, build a set of installer images with `EFI_SIGNED` set to no.
```
cd debian-installer
sed -i 's/EFI_SIGNED=y/EFI_SIGNED=n/' build/config/*.cfg
git commit -a -m "EFI_SIGNED=n"
sbuild
sbuild --arch=i386
```
Then, rebuild a iso with those installer images. I used `simple-cdd`:
```
mkdir <<WORKDIR>>
cd <<WORKDIR>>
mkdir custom-installer
cp <<PATH-TO>>/debian-installer-images_* custom-installer/
cd custom-installer; for f in *.gz; do tar -xf $f; done; cd ..
cat << EOF > simple-cdd.conf
custom_installer="$(pwd)/custom-installer"
mirror_tools="reprepro download"
mirror_files="" # Don't try to download README doc/ tools/
export OMIT_MANUAL=1
export OMIT_RELEASE_NOTES=1
export OMIT_DOC_TOOLS=1
export ARCHES="amd64 i386" # Workaround https://salsa.debian.org/debian/simple-cdd/-/merge_requests/12
EOF
build-simple-cdd --verbose --debug --force-root --conf simple-cdd.conf
```
Boot the resulting iso with kvm and UEFI enabled: we can briefly see a error
message about missing unicode font, then the GRUB menu appears. Hit <Enter> to
start installation: it fails with "Booting in blind mode".
Find more details (and screenshots!) at:
<https://gitlab.com/kalilinux/packages/debian-installer/-/issues/4>
~~~~
Best,
Arnaud
Version: 20230607
Severity: normal
User: de...@kali.org
Usertags: origin-kali
Dear Maintainer,
This issue doesn't affect Debian (as Debian's installer images come with
a signed GRUB), but it affects Debian derivatives that use a unsigned
GRUB in their installer. In particular, it did break the Kali Linux
installer images a short while ago, cf.
https://gitlab.com/kalilinux/packages/debian-installer/-/issues/4
The cause of the issue is this commit:
https://salsa.debian.org/installer-team/debian-installer/-/commit/a4dc8c0f
In the change above, the GRUB font was changed from '$prefix/font.pf2'
to 'unicode'. However nothing was done to copy the unicode font at the
right location. It's not an issue for Debian, which uses a sigend GRUB,
ie. a big bundle that embeds everything needed, including this unicode
font.
However for derivatives that don't use Debian's signed GRUB (like Kali
Linux), what we get is a more "traditional" GRUB: a small binary, and
plenty of modules and other files that GRUB will load as need be. For
this unsigned GRUB, we must make sure that the unicode font is present
at the right location.
I propose the following fixes:
https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/35
to change the GRUB font from ascii.pf2 to unicode.pf2, and install it
under the fonts/ directory.
https://salsa.debian.org/images-team/debian-cd/-/merge_requests/32 so
that debian-cd tries to copy fonts from grub/*.pf2 and grub/fonts/.
Below comes a longer step-by-step procedure to repoduce the issue, if
anyone wants to check it by themselves.
~~~~
First, build a set of installer images with `EFI_SIGNED` set to no.
```
cd debian-installer
sed -i 's/EFI_SIGNED=y/EFI_SIGNED=n/' build/config/*.cfg
git commit -a -m "EFI_SIGNED=n"
sbuild
sbuild --arch=i386
```
Then, rebuild a iso with those installer images. I used `simple-cdd`:
```
mkdir <<WORKDIR>>
cd <<WORKDIR>>
mkdir custom-installer
cp <<PATH-TO>>/debian-installer-images_* custom-installer/
cd custom-installer; for f in *.gz; do tar -xf $f; done; cd ..
cat << EOF > simple-cdd.conf
custom_installer="$(pwd)/custom-installer"
mirror_tools="reprepro download"
mirror_files="" # Don't try to download README doc/ tools/
export OMIT_MANUAL=1
export OMIT_RELEASE_NOTES=1
export OMIT_DOC_TOOLS=1
export ARCHES="amd64 i386" # Workaround https://salsa.debian.org/debian/simple-cdd/-/merge_requests/12
EOF
build-simple-cdd --verbose --debug --force-root --conf simple-cdd.conf
```
Boot the resulting iso with kvm and UEFI enabled: we can briefly see a error
message about missing unicode font, then the GRUB menu appears. Hit <Enter> to
start installation: it fails with "Booting in blind mode".
Find more details (and screenshots!) at:
<https://gitlab.com/kalilinux/packages/debian-installer/-/issues/4>
~~~~
Best,
Arnaud
Cyril Brulebois
Jun 22, 2023, 11:30:10 AM6/22/23
to
Hi Arnaud,
Arnaud Rebillout <arn...@kali.org> (2023-06-22):
consequences of that very change, that seemed trivial enough, Im very
much not convinced I'd like to see more things getting tweaked there.
I acknowledge that this means a maintenance burden for downstream
distributions that would like to use an unsigned GRUB. But then, that's
their choice…
Cheers,
--
Cyril Brulebois (ki...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Arnaud Rebillout <arn...@kali.org> (2023-06-22):
> Dear Maintainer,
>
> This issue doesn't affect Debian (as Debian's installer images come with
> a signed GRUB), but it affects Debian derivatives that use a unsigned
> GRUB in their installer. In particular, it did break the Kali Linux
> installer images a short while ago, cf.
> https://gitlab.com/kalilinux/packages/debian-installer/-/issues/4
>
> The cause of the issue is this commit:
> https://salsa.debian.org/installer-team/debian-installer/-/commit/a4dc8c0f
>
> In the change above, the GRUB font was changed from '$prefix/font.pf2'
> to 'unicode'. However nothing was done to copy the unicode font at the
> right location. It's not an issue for Debian, which uses a sigend GRUB,
> ie. a big bundle that embeds everything needed, including this unicode
> font.
>
> However for derivatives that don't use Debian's signed GRUB (like Kali
> Linux), what we get is a more "traditional" GRUB: a small binary, and
> plenty of modules and other files that GRUB will load as need be. For
> this unsigned GRUB, we must make sure that the unicode font is present
> at the right location.
>
> I propose the following fixes:
>
> https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/35
> to change the GRUB font from ascii.pf2 to unicode.pf2, and install it
> under the fonts/ directory.
>
> https://salsa.debian.org/images-team/debian-cd/-/merge_requests/32 so
> that debian-cd tries to copy fonts from grub/*.pf2 and grub/fonts/.
I'll let Steve comment on this, but having had to deal with far-reaching
>
> This issue doesn't affect Debian (as Debian's installer images come with
> a signed GRUB), but it affects Debian derivatives that use a unsigned
> GRUB in their installer. In particular, it did break the Kali Linux
> installer images a short while ago, cf.
> https://gitlab.com/kalilinux/packages/debian-installer/-/issues/4
>
> The cause of the issue is this commit:
> https://salsa.debian.org/installer-team/debian-installer/-/commit/a4dc8c0f
>
> In the change above, the GRUB font was changed from '$prefix/font.pf2'
> to 'unicode'. However nothing was done to copy the unicode font at the
> right location. It's not an issue for Debian, which uses a sigend GRUB,
> ie. a big bundle that embeds everything needed, including this unicode
> font.
>
> However for derivatives that don't use Debian's signed GRUB (like Kali
> Linux), what we get is a more "traditional" GRUB: a small binary, and
> plenty of modules and other files that GRUB will load as need be. For
> this unsigned GRUB, we must make sure that the unicode font is present
> at the right location.
>
> I propose the following fixes:
>
> https://salsa.debian.org/installer-team/debian-installer/-/merge_requests/35
> to change the GRUB font from ascii.pf2 to unicode.pf2, and install it
> under the fonts/ directory.
>
> https://salsa.debian.org/images-team/debian-cd/-/merge_requests/32 so
> that debian-cd tries to copy fonts from grub/*.pf2 and grub/fonts/.
consequences of that very change, that seemed trivial enough, Im very
much not convinced I'd like to see more things getting tweaked there.
I acknowledge that this means a maintenance burden for downstream
distributions that would like to use an unsigned GRUB. But then, that's
their choice…
Cheers,
--
Cyril Brulebois (ki...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Arnaud Rebillout
Jun 22, 2023, 9:20:04 PM6/22/23
to
Hello Cyril,
On 22/06/2023 22:19, Cyril Brulebois wrote:
> I'll let Steve comment on this, but having had to deal with far-reaching
> consequences of that very change, that seemed trivial enough, Im very
> much not convinced I'd like to see more things getting tweaked there.
>
> I acknowledge that this means a maintenance burden for downstream
> distributions that would like to use an unsigned GRUB. But then, that's
> their choice…
In Kali I fixed it another way, we now use the "monolithic unsigned
grub" inside our installer, instead of the "legacy" grub style. That
gets us closer to Debian's mainline, and hopefully will avoid this kind
of breakage in the future.
I'll be very happy to submit this kind of patch BTW, that is, if you're
still willing to support building the installer images with a unsigned
grub for x86, it will be easier to use the monolithic grub. AFAIK it's
the same as the signed grub, the only difference is that it's not signed.
But to be back to this bug reports: I wanted to make sure that the
breakage was not Kali specific, and it's not. Being the one that noticed
it, and knowing that it's a bug in the debian-installer, I thought it
would be nice to spend the time, and investigate it properly and propose
a fix, even though we don't use this fix in Kali (as said above we
solved it differently by using a monolithic unsigned grub). I must add
that I tested those changes, in case it was not clear, even though
"tested" for me just means booting the .iso in a QEMU VM.
Cheers,
--
Arnaud Rebillout / OffSec / Kali Linux Developer
On 22/06/2023 22:19, Cyril Brulebois wrote:
> I'll let Steve comment on this, but having had to deal with far-reaching
> consequences of that very change, that seemed trivial enough, Im very
> much not convinced I'd like to see more things getting tweaked there.
>
> I acknowledge that this means a maintenance burden for downstream
> distributions that would like to use an unsigned GRUB. But then, that's
> their choice…
grub" inside our installer, instead of the "legacy" grub style. That
gets us closer to Debian's mainline, and hopefully will avoid this kind
of breakage in the future.
I'll be very happy to submit this kind of patch BTW, that is, if you're
still willing to support building the installer images with a unsigned
grub for x86, it will be easier to use the monolithic grub. AFAIK it's
the same as the signed grub, the only difference is that it's not signed.
But to be back to this bug reports: I wanted to make sure that the
breakage was not Kali specific, and it's not. Being the one that noticed
it, and knowing that it's a bug in the debian-installer, I thought it
would be nice to spend the time, and investigate it properly and propose
a fix, even though we don't use this fix in Kali (as said above we
solved it differently by using a monolithic unsigned grub). I must add
that I tested those changes, in case it was not clear, even though
"tested" for me just means booting the .iso in a QEMU VM.
Cheers,
--
Arnaud Rebillout / OffSec / Kali Linux Developer
0 new messages