On Tuesday, 1 October 2019 15:32:27 BST Mick wrote:
> On Tue, 1 Oct 2019 at 13:18, Mick <[email protected]> wrote:
> > When using Secure Boot the UEFI firmware check the binaries to be
> > loaded have been signed by Microsoft. The 'SHA256 verified' message
> > indicates the systemd-boot binary is signed using a key which is
> > ultimately signed by Microsoft and is contained in the whitelist
> > (MokList). If the verification failed I think it would spit something
> > back to allow you to enrol a valid hash or key.
>
> Scratch that - the message itself is a debug message following an
> early SHA-256 implementation self-test[1] before the systemd provided
> random seed file is loaded. All the Secure Boot signature checks that
> follow will utilise the random seed file systemd provides.
>
> [1]
> https://github.com/systemd/systemd/blob/4c858c6fd5d588b30d9851bb576520e74b0
> 41739/src/boot/efi/random-seed.c#L172
Okay, thanks.
[I hope I've been clear enough in what follows :) ]
Yet another attempt. I've repartitioned the disk without the unformatted
partition, as in Neil's usual scheme; deleted all boot entries using
efibootmgr; allowed the UEFI BIOS to set itself up again; and run 'bootctl
update' to copy the latest kernel into place.
Then, bootctl status shows this:
Default Boot Loader Entry:
title: Gentoo TestSys 4.19.72 (no network)
id: 92-testsys-4.19.72.nonet
source: /boot/loader/entries/92-testsys-4.19.72.nonet.conf
linux: /vmlinuz-4.19.72-gentoo-testsys
options: root=/dev/sda4 initrd=/intel-uc.img net.ifnames=0
softlevel=nonetwork
That's supposed to be a secondary entry, not the primary, so I tried to set a
different default. Man bootctl includes this:
set-default ID, set-oneshot ID
Sets the default boot loader entry. Takes a single boot loader entry
ID
string as argument. The set-oneshot command will set the default
entry only
for the next boot, the set-default will set it persistently for all
future
boots.
bootctl list output includes this entry:
title: Gentoo Linux 4.19.72
id: 30-gentoo-4.19.72
source: /boot/loader/entries/30-gentoo-4.19.72.conf
linux: /vmlinuz-4.19.72-gentoo
options: root=/dev/nvme0n1p4 initrd=/intel-uc.img net.ifnames=0
That's the one I want to set as default, but then:
# bootctl set-default 30-gentoo-4.19.72
Failed to update EFI variable: Invalid argument
What is this ID supposed to be, if not the ID shown by bootctl list? Oh, and
efivars is mounted rw, of course.
Bootctl and efibootmgr seem to operate orthogonally, at least in some
respects, which doesn't help me to uderstand what's going on.
--
Regards,
Peter.
