Re: Secure boot - Uefi installation

2017-04-22 Thread Pascal Hambourg 

Le 21/04/2017 à 12:24, Bonno Bloksma a écrit :



If I remember right, when I installed debian alongside windows 8 on my previous 
UEFI HP laptop, I had to disable fast boot in windows 8, otherwise it would 
boot directly windows, not grub.


The reason for THAT is that Windows with fastboot turned on does a hibernate 
and not a shutdown when you tell it to shutdown.


The option you are referring to is "fast startup", not "fast boot".
"Fast boot" is a totally unrelated option available in some BIOS and 
UEFI firmwares.

Re: libreboot? Doc to follow? -- Re: Secure boot - Uefi installation

2017-04-21 Thread Joel Rees 
On Fri, Apr 21, 2017 at 7:31 AM, Steve McIntyre  wrote:
> f...@areyouforthepeople.org wrote:
>>
>>Hello:
>>
>>2 things:
>>
>>a. Even given all of their recent "damage" to themselves,
>>how does Libreboot play into this?  Is there a guide with respect to
>>Debian that people can use to go the Libreboot route -- supported
>>by this list?
>
> Pass.
>
>>b. This UEFI crap - and Microsoft/Intel trying to lock everything to
>>themselves crap is crappy.
>>
>>Has anyone gathered all of these UEFI steps and good workarounds into
>>One place that people can follow?
>
> UEFI as a design is fine,

If the option is nothing or UEFI, I'm still not sure which I'd take.

For a decent processor, I think I'd actually prefer raw hardware, but
such a decent processor doesn't exist. Nor do the I/O devices I'd be
able to attach to it.

Different people have different ideas of what they want, I guess.
(Shoot, I even have different ideas of what I want. ;-/ )

> but there are a lot of crappy
> implementations out there. Just like there are lots of crappy
> BIOSes. :-(
>
> For more information about UEFI and Debian, I wrote a long wiki page
> at
>
>   https://wiki.debian.org/UEFI

Thanks. Looks useful.

> Please check that out, and please ask if anything's not clear.
>
> --
> Steve McIntyre, Cambridge, UK.st...@einval.com
> Is there anybody out there?

Nobody out here but us chickens.


-- 
Joel Rees

I'm imagining I'm a computer scientist.

http://defining-computers.blogspot.com/2017/04/model-boot-up-process-description-with.html

RE: Secure boot - Uefi installation

2017-04-21 Thread Bonno Bloksma 
Hi,

>> I installed on a Dell (don't recall the model number now, but it's a 
>> recent model), and I found that the firmware appears to be buggy, in 
>> that you can specify a UEFI installation to boot, and it shows the 
>> setting you enter, but it ignores that setting and boots only to the 
>> default installation, which is something like "\boot\default\boot64.efi".
>
> If I remember right, when I installed debian alongside windows 8 on my 
> previous UEFI HP laptop, I had to disable fast boot in windows 8, otherwise 
> it would boot directly windows, not grub.

The reason for THAT is that Windows with fastboot turned on does a hibernate 
and not a shutdown when you tell it to shutdown.
So when you turn on the machine it does not do a boot cycle but a resume cycle, 
never going past the boot process.
Fastboot is on by default but I have not really found it to speed up the boot 
process when using a SSD to boot from.

Bonno Bloksma

Re: Secure boot - Uefi installation

2017-04-20 Thread Joel Rees 
On Tue, Apr 18, 2017 at 6:30 AM, Karagkiaouris Diamantis
 wrote:
> Dear All,
>
> How can i install debian with UEFI support? Is there any simple tutorial?

I hate to ask the obvious, but have you searched the web for, say,

"secure boot shim grub"   ?

And have you looked at

https://wiki.debian.org/SecureBoot   ?

> Also do i have to disable the secure boot and then proceed with uefi
> installation?
> I have tried but then a message "could not authenticate boot media" emerges
> and the boot stop right there.
> I am new to debian and i don't want to abandon for this silly reason.
>
> Thank you
>

Some other distributions provide you with a distribution-signed shim.
That means the distribution owns the cryptographic rights to remotely
admin your computer. (Cryptographic, not legal, and they eschew the
actual responsibility, of course.)

And you still may have a BIOS that doesn't really follow the UEFI
rules about any keys but the vendor's.

Debian is not doing that. If you want to use UEFI with Debian, you'll
have to make your own shim.

UEFI is only secure if you believe that letting your OS manufacturer
remotely admin your box is secure. Just say, "No."

Turn off secure boot.

And set the BIOS to allow MBR booting.

(That's two BIOS settings for most BIOSes, IIRC. At least, the last
time I did this, I had to do those separately in the BIOS I was
working with.)

-- 
Joel Rees

I'm imagining I'm a computer scientist:
http://defining-computers.blogspot.com/2017/04/model-boot-up-process-description-with.html

Re: Secure boot - Uefi installation

2017-04-20 Thread Steve McIntyre 
pas...@plouf.fr.eu.org wrote:
>Le 20/04/2017 à 15:41, Kent West a écrit :
>>
>> I installed on a Dell (don't recall the model number now, but it's a recent
>> model), and I found that the firmware appears to be buggy, in that you can
>> specify a UEFI installation to boot, and it shows the setting you enter,
>> but it ignores that setting and boots only to the default installation,
>> which is something like "\boot\default\boot64.efi".
>
>/EFI/boot/bootx64.efi. It is the default EFI path, used on removable 
>media such as installation or live images and by Windows as a rescue 
>boot loader.
>
>I had the same issue on HP Elitebook 8460 or 8470 laptops.

It's unfortunately quite common. Far too many bad UEFI implementations
that aren't being validated against the spec properly. :-(

>> The only way I could get around it was to create a separate \default
>> directory (or whatever the default directory name was - I don't now
>> remember) and copy my debian64.efi (or whatever it was) file into that
>> directory, renamed as boot64.efi (or whatever the default name was that it
>> was looking for).
>
>Actually there is a simpler workaround : during the installation of the 
>GRUB boot loader, the Debian installer asks whether to install GRUB in 
>the "removable device path" or so. Just answer "yes" and it will install 
>a copy of GRUB's core image in the default EFI path.
>
>It does the same as "grub-install --force-extra-removable"

That, and it sets a debconf flag so that on future upgrades grub will
remember you need this and re-install there every time it installs in
the normal (correct) Debian path. This is important - if the 2 copies
of grub-efi on the system diverge too much then it can cause boot
failures.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
Is there anybody out there?

Re: libreboot? Doc to follow? -- Re: Secure boot - Uefi installation

2017-04-20 Thread Steve McIntyre 
f...@areyouforthepeople.org wrote:
>
>Hello:
>
>2 things:
>
>a. Even given all of their recent "damage" to themselves,
>how does Libreboot play into this?  Is there a guide with respect to
>Debian that people can use to go the Libreboot route -- supported
>by this list?

Pass.

>b. This UEFI crap - and Microsoft/Intel trying to lock everything to 
>themselves crap is crappy.
>
>Has anyone gathered all of these UEFI steps and good workarounds into 
>One place that people can follow?

UEFI as a design is fine, but there are a lot of crappy
implementations out there. Just like there are lots of crappy
BIOSes. :-(

For more information about UEFI and Debian, I wrote a long wiki page
at 

  https://wiki.debian.org/UEFI

Please check that out, and please ask if anything's not clear.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
Is there anybody out there?

libreboot? Doc to follow? -- Re: Secure boot - Uefi installation

2017-04-20 Thread fc 


Hello:

2 things:

a. Even given all of their recent "damage" to themselves,
how does Libreboot play into this?  Is there a guide with respect to
Debian that people can use to go the Libreboot route -- supported
by this list?

b. This UEFI crap - and Microsoft/Intel trying to lock everything to 
themselves crap is crappy.


Has anyone gathered all of these UEFI steps and good workarounds into 
One place that people can follow?


I would be happy to help in that effort.

(I would also be happy to push that one answer
out onto forums where I see this issue mentioned.)

Thanks!

On 4/20/2017 9:49 AM, solitone wrote:

On Thursday, 20 April 2017 08:41:26 CEST Kent West wrote:

I installed on a Dell (don't recall the model number now, but it's a recent
model), and I found that the firmware appears to be buggy, in that you can
specify a UEFI installation to boot, and it shows the setting you enter,
but it ignores that setting and boots only to the default installation,
which is something like "\boot\default\boot64.efi".

If I remeber right, when I installed debian alongside windows 8 on my previous
UEFI HP laptop, I had to disable fast boot in windows 8, otherwise it would
boot directly windows, not grub.

Re: Secure boot - Uefi installation

2017-04-20 Thread Pascal Hambourg 

Le 20/04/2017 à 02:36, Joel Rees a écrit :

On Thu, Apr 20, 2017 at 4:02 AM, Diamantis Karagkiaouris
 wrote:

I am really pissed off with the installation as it failed miserably.


If it fails after disabling UEFI, you probably have a machine with a
BIOS that doesn't really disable UEFI when you tell it to nicely. (I
hear some won't allow it at all.


I have a very old (~2007) UEFI motherboard which allows to enable or 
disable EFI boot, but it seems that many recent UEFI firmwares don't 
allow to disable EFI boot. At best they allow to enable or disable 
legacy boot (in BIOS compatibility mode), but EFI boot sources keep 
precedence when available. I have seen a few netbooks with 32-bit UEFI 
firwares which did not support legacy boot at all.



It asks me if i want to force uefi and then it fails on grub configuration.


What do you mean by force UEFI?


I suspect it is the question asked by the installer when booted in EFI 
mode but it finds a legacy boot system on a disk. If you answer to force 
UEFI, it proceeds to install GRUB EFI. Otherwise, it proceeds to install 
GRUB BIOS instead.


It would mean that the Debian installer did boot in EFI mode.
Installing GRUB EFI requires an EFI system partition so if you choose 
custom partitioning, you must create one if it does not exist.


You can get more information about the failure by looking up the 
installer logs in /var/log, or by running grub-install and update-grub 
manually in a shell.



In opensuse i didnt have this issue.


openSUSE bought a signed key for secure boot.

Re: Secure boot - Uefi installation

2017-04-20 Thread Pascal Hambourg 

Le 20/04/2017 à 15:41, Kent West a écrit :


I installed on a Dell (don't recall the model number now, but it's a recent
model), and I found that the firmware appears to be buggy, in that you can
specify a UEFI installation to boot, and it shows the setting you enter,
but it ignores that setting and boots only to the default installation,
which is something like "\boot\default\boot64.efi".


/EFI/boot/bootx64.efi. It is the default EFI path, used on removable 
media such as installation or live images and by Windows as a rescue 
boot loader.


I had the same issue on HP Elitebook 8460 or 8470 laptops.


The only way I could get around it was to create a separate \default
directory (or whatever the default directory name was - I don't now
remember) and copy my debian64.efi (or whatever it was) file into that
directory, renamed as boot64.efi (or whatever the default name was that it
was looking for).


Actually there is a simpler workaround : during the installation of the 
GRUB boot loader, the Debian installer asks whether to install GRUB in 
the "removable device path" or so. Just answer "yes" and it will install 
a copy of GRUB's core image in the default EFI path.


It does the same as "grub-install --force-extra-removable"

Re: Secure boot - Uefi installation

2017-04-20 Thread solitone 
On Thursday, 20 April 2017 08:41:26 CEST Kent West wrote:
> I installed on a Dell (don't recall the model number now, but it's a recent
> model), and I found that the firmware appears to be buggy, in that you can
> specify a UEFI installation to boot, and it shows the setting you enter,
> but it ignores that setting and boots only to the default installation,
> which is something like "\boot\default\boot64.efi".

If I remeber right, when I installed debian alongside windows 8 on my previous 
UEFI HP laptop, I had to disable fast boot in windows 8, otherwise it would 
boot directly windows, not grub.

Re: Secure boot - Uefi installation

2017-04-20 Thread Kent West 
On Thu, Apr 20, 2017 at 8:41 AM, Kent West  wrote:

>
>
> On Mon, Apr 17, 2017 at 4:30 PM, Karagkiaouris Diamantis <
> diamantis.karagkiaouris@gmail.com> wrote:
>
>> Dear All,
>>
>> How can i install debian with UEFI support? Is there any simple tutorial?
>> Also do i have to disable the secure boot and then proceed with uefi
>> installation?
>> I have tried but then a message "could not authenticate boot media"
>> emerges and the boot stop right there.
>> I am new to debian and i don't want to abandon for this silly reason.
>>
>> Thank you
>>
>>
>
> I thought I had kept notes when I did this, but I can't find them.
>
> I installed on a Dell (don't recall the model number now, but it's a
> recent model), and I found that the firmware appears to be buggy, in that
> you can specify a UEFI installation to boot, and it shows the setting you
> enter, but it ignores that setting and boots only to the default
> installation, which is something like "\boot\default\boot64.efi".
>
> The only way I could get around it was to create a separate \default
> directory (or whatever the default directory name was - I don't now
> remember) and copy my debian64.efi (or whatever it was) file into that
> directory, renamed as boot64.efi (or whatever the default name was that it
> was looking for).
>
> Stupid firmware programming!
>
>
> --
> Kent West<")))><
> Westing Peacefully - http://kentwest.blogspot.com
>


This thread outlines my woes that I had previously:

https://lists.debian.org/debian-user/2017/03/msg00544.html

-- 
Kent West<")))><
Westing Peacefully - http://kentwest.blogspot.com

Re: Secure boot - Uefi installation

2017-04-20 Thread Kent West 
On Mon, Apr 17, 2017 at 4:30 PM, Karagkiaouris Diamantis <
diamantis.karagkiaouris@gmail.com> wrote:

> Dear All,
>
> How can i install debian with UEFI support? Is there any simple tutorial?
> Also do i have to disable the secure boot and then proceed with uefi
> installation?
> I have tried but then a message "could not authenticate boot media"
> emerges and the boot stop right there.
> I am new to debian and i don't want to abandon for this silly reason.
>
> Thank you
>
>

I thought I had kept notes when I did this, but I can't find them.

I installed on a Dell (don't recall the model number now, but it's a recent
model), and I found that the firmware appears to be buggy, in that you can
specify a UEFI installation to boot, and it shows the setting you enter,
but it ignores that setting and boots only to the default installation,
which is something like "\boot\default\boot64.efi".

The only way I could get around it was to create a separate \default
directory (or whatever the default directory name was - I don't now
remember) and copy my debian64.efi (or whatever it was) file into that
directory, renamed as boot64.efi (or whatever the default name was that it
was looking for).

Stupid firmware programming!


-- 
Kent West<")))><
Westing Peacefully - http://kentwest.blogspot.com

Re: Secure boot - Uefi installation

2017-04-19 Thread Pascal Hambourg 

Le 20/04/2017 à 00:44, Mark Fletcher a écrit :

On Wed, Apr 19, 2017 at 08:53:52PM +0200, Pascal Hambourg wrote:

Le 18/04/2017 à 01:21, Mark Fletcher a écrit :


I believe the live images only use MBR boot


BIOS boot.


Pedant.


Pleased to meet you. I'm Pascal.


You knew exactly what I meant.


Of course I did. That is why I corrected your mistake.

Re: Secure boot - Uefi installation

2017-04-19 Thread Joel Rees 
On Thu, Apr 20, 2017 at 4:02 AM, Diamantis Karagkiaouris
 wrote:
> I am really pissed off with the installation as it failed miserably.

If it fails after disabling UEFI, you probably have a machine with a
BIOS that doesn't really disable UEFI when you tell it to nicely. (I
hear some won't allow it at all. The entry is there in the BIOS
configuration screens, but it either does nothing or is trapped back
to UEFI on such hardware.)

> It asks me if i want to force uefi and then it fails on grub configuration.

What do you mean by force UEFI?

> In opensuse i didnt have this issue.
> I really like the idea of hands on but this is nonsense.
> In every upgrade of debian testing should i cross my fingers?

It sounds like there is something I don't know about what you are doing.

> Am 19.04.2017 21:54 schrieb "Pascal Hambourg" :
>>
>> Le 18/04/2017 à 01:21, Mark Fletcher a écrit :
>>>
>>>
>>> I believe the live images only use MBR boot
>>
>>
>> BIOS boot.

-- 
Joel Rees

I'm imagining I'm a novelist:
http://joel-rees-economics.blogspot.com/2017/01/soc500-00-00-toc.html
More of my delusions:
http://reiisi.blogspot.jp/p/novels-i-am-writing.html

Re: Secure boot - Uefi installation

2017-04-19 Thread Mark Fletcher 
On Wed, Apr 19, 2017 at 08:53:52PM +0200, Pascal Hambourg wrote:
> Le 18/04/2017 à 01:21, Mark Fletcher a écrit :
> >
> >I believe the live images only use MBR boot
> 
> BIOS boot.
> 
Pedant. You knew exactly what I meant.

Re: Secure boot - Uefi installation

2017-04-19 Thread Diamantis Karagkiaouris 
I am really pissed off with the installation as it failed miserably.
It asks me if i want to force uefi and then it fails on grub configuration.
In opensuse i didnt have this issue.
I really like the idea of hands on but this is nonsense.
In every upgrade of debian testing should i cross my fingers?

Am 19.04.2017 21:54 schrieb "Pascal Hambourg" :

> Le 18/04/2017 à 01:21, Mark Fletcher a écrit :
>
>>
>> I believe the live images only use MBR boot
>>
>
> BIOS boot.
>
>

Re: Secure boot - Uefi installation

2017-04-19 Thread Pascal Hambourg 

Le 18/04/2017 à 01:21, Mark Fletcher a écrit :


I believe the live images only use MBR boot


BIOS boot.

Re: Secure boot - Uefi installation

2017-04-17 Thread solitone 
On Tuesday, 18 April 2017 00:30:47 CEST Karagkiaouris Diamantis wrote:
> do i have to disable the secure boot and then proceed with uefi
> installation?

Yes, you should disable secure boot. I had to do this when I installed Jessie 
on an HP UEFI laptop.

Re: Secure boot - Uefi installation

2017-04-17 Thread Tony Baldwin 



On 04/17/2017 07:21 PM, Mark Fletcher wrote:

On Tue, Apr 18, 2017 at 12:30:47AM +0300, Karagkiaouris Diamantis wrote:

Dear All,

How can i install debian with UEFI support? Is there any simple tutorial?
Also do i have to disable the secure boot and then proceed with uefi
installation?
I have tried but then a message "could not authenticate boot media" emerges
and the boot stop right there.
I am new to debian and i don't want to abandon for this silly reason.

Thank you


Unless things have changed very recently, yes -- you need to disable
secure boot, then you can do an install to UEFI media. I say this with
the caveat that I have used UEFI-aware Debian install media but the only
UEFI install I have actually done was of LFS not Debian.

Debian install media can boot a UEFI-aware machine if secure boot is
disabled. I believe the live images only use MBR boot method, presumably
so they can work on the largest number of machines, even old ones
(UEFI-only machines are only just now emerging)

Mark



I thought UEFI compatible installations was the default now.
I'm pretty sure my hardware is uefi-ized, and it's all working fine.
Then again, I did not install current stable, but rather upgraded to 
Jessie from old stable (wheezy)


tony
--
93 - 93/93
http://tonybaldwin.me
all tony, all the time

Re: Secure boot - Uefi installation

2017-04-17 Thread Mark Fletcher 
On Tue, Apr 18, 2017 at 12:30:47AM +0300, Karagkiaouris Diamantis wrote:
> Dear All,
> 
> How can i install debian with UEFI support? Is there any simple tutorial?
> Also do i have to disable the secure boot and then proceed with uefi
> installation?
> I have tried but then a message "could not authenticate boot media" emerges
> and the boot stop right there.
> I am new to debian and i don't want to abandon for this silly reason.
> 
> Thank you
> 
Unless things have changed very recently, yes -- you need to disable 
secure boot, then you can do an install to UEFI media. I say this with 
the caveat that I have used UEFI-aware Debian install media but the only 
UEFI install I have actually done was of LFS not Debian.

Debian install media can boot a UEFI-aware machine if secure boot is 
disabled. I believe the live images only use MBR boot method, presumably 
so they can work on the largest number of machines, even old ones 
(UEFI-only machines are only just now emerging)

Mark