/usr/share/doc/libfwup-dev/README.Debian is in libfwup-dev 8-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | signed vs unsigned bootloader
-------------------
The tools aren't configured to understand that there is actually a difference
between the signed and unsigned version, only the BIOS will notice this
difference when enforcing secure boot.
The reasoning behind signed/unsigned installation is to be able to support
secure boot, even if the user doesn't have it turned on at installation time.
For Debian this is less applicable until there is infrastructure to support
secure boot.
At least in Ubuntu the way that it's being done is that both
fwupdate-signed and fwupdate is seeded in the default installation.
If the end user installs in legacy mode nothing gets installed to the ESP.
If they install in UEFI mode then the signed version goes to the ESP
(whether or not secure boot is on). If they turn secure boot on later
then they're in good shape.
When someone installs from a minimal system fwupdate without
fwupdate-signed it will look and see if secure boot is turned on.
It doesn't do them any good to install to the ESP if secure boot is
turned on but fwupdate-signed isn't installed. So rather than cause the
postinst fail on something that is configurable in the BIOS, display a
warning.
|