systemd-boot and GRUB EFI conflict during package configuration.
systemd-boot also fails to configure in chroot (no efivars available).
Using GRUB with shim-signed for UEFI Secure Boot instead.
Changes:
- config/package-lists: Remove systemd-boot, systemd-boot-efi
- tests/unit/secureboot_test.bats: Update test for GRUB instead
Reference: Build failure in binary phase
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
The package name in Debian repositories is sbsigntool (singular), not
sbsigntools (plural). This typo was causing ISO builds to fail with:
E: Unable to locate package sbsigntools
Files fixed:
- config/package-lists/knel-football.list.chroot - package list
- tests/unit/secureboot_test.bats - test reference
- docs/TEST-COVERAGE.md - documentation
- docs/PRD.md - requirements documentation
Reference: Security audit FINDING-007 (test coverage)
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Add complete Secure Boot implementation:
- Generate PK/KEK/db keys during ISO build
- Build Unified Kernel Image (UKI) bundling kernel+initramfs+cmdline
- Sign UKI with db key for Secure Boot verification
- Include kernel lockdown mode in cmdline (lockdown=confidentiality)
- Copy .auth files to ISO for UEFI key enrollment
All Secure Boot logic is embedded in run.sh as an inline binary hook
created during the Docker build process - no separate scripts.
Required packages added: efitools, sbsigntools, systemd-boot, binutils
VM template updated with TPM v2.0 for Secure Boot measurements.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Package icewm-themes is no longer available in Debian testing.
icewm-common provides the necessary themes as a dependency.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Add UEFI Secure Boot packages to enable booting on systems
with Secure Boot enabled:
- shim-signed: Microsoft-signed shim bootloader
- grub-efi-amd64-signed: Signed GRUB EFI bootloader
- grub-efi-amd64-bin: GRUB EFI binaries
- efibootmgr: EFI boot manager utility
This is mandatory for modern UEFI systems that ship with
Secure Boot enabled by default.
Compliance: UEFI Secure Boot specification
💘 Generated with Crush
Assisted-by: GLM-5 via Crush <crush@charm.land>
- Update disable-package-management.sh with immutable permissions
- Update install-scripts.sh with proper path handling
- Add knel-football.list.chroot package list
- Add desktop shortcuts for VPN configuration
- Add USB automount support
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
- Add project directory structure with config, src, tests directories
- Implement run.sh host wrapper script for Docker-based workflow
- Create Dockerfile for build/test environment with live-build
- Add basic live-build configuration with preseed and package lists
- Add .gitignore and .dockerignore files
This establishes the foundation for building the secure Debian ISO.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land>
