Re: [lfs-support] Good Results with LFS and EFI
On 11/27/2013 11:14 AM, Rob Taylor wrote: > Hi Dan, > I was wondering how it was going with secure boot and LFS? > > I have reached the 6.48. GRUB-2.00 stage of my re-build of LFS 7.4 > using my new scripts and wrappers. > > For this stage, since I already have secure boot disabled and am > booting the traditional way, I think I will > just follow the LFS book. But you have inspired me to look into this > issue. I may develop a system to enable > booting from either the BIOS or the Unified Extensible Firmware > Interface, depending on what the computer has. > > I do not recall if one of the references you mentioned included this link? > http://www.rodsbooks.com/efi-bootloaders/secureboot.html > > It shows a couple of different ways to sign your own binaries etc.. I've been caught up in getting X to work in my new build and haven't kept up on my correspondence. All is great so I can get back to my testing with UEFI. I might have to do another LFS build to do that, however, because my current one has more stuff on it than need for a "minimal" effort. For example, before I learned about efivarfs, I installed gummiboot. I really like it. If you install GRUB2 in "BIOS Mode," it will write its images to the "MBR Protected Layer" of your disk. I do not know how to remove it from there once you change your mind. It might even interfere with your UEFI testing. My recommendation, if it fits your purposes and while you are experimenting, is to use the efi-stubs on the kernel and use efibootmgr to make an entry in your system boot manager. And, yes, I'm familiar with the information in "rodsbooks." I refreshed my memory on that particular page. With what I have found and the speed with which all this stuff is evolving, that page might be a little dated. I'm sure it will work, but I think there is an "up and coming" application so that you don't have to depend on someone else's key and some distro's "shim" file. I encourage you to search for and find "efitools." I think the current version is 1.4 which was published just in March. In it is the ability to edit the EFI variables, including the secure ones. If I read the supporting documentation correctly, you can generate your own key and register it with the firmware. I think that's going to be the way to get GRUB2 to work. I think that the situation now is that GRUB2 does a great job at being a boot loader--as it always has. To maintain its capabilities it needs to morph to a boot manager too. I'm almost finished with my write up on getting LFS to boot with the kernel efi-stubs. @Rob--I didn't know if you intended this for off-list or not, so you're going to get two. Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
Re: [lfs-support] Good Results with LFS and EFI
Hi Dan, I was wondering how it was going with secure boot and LFS? I have reached the 6.48. GRUB-2.00 stage of my re-build of LFS 7.4 using my new scripts and wrappers. For this stage, since I already have secure boot disabled and am booting the traditional way, I think I will just follow the LFS book. But you have inspired me to look into this issue. I may develop a system to enable booting from either the BIOS or the Unified Extensible Firmware Interface, depending on what the computer has. I do not recall if one of the references you mentioned included this link? http://www.rodsbooks.com/efi-bootloaders/secureboot.html It shows a couple of different ways to sign your own binaries etc.. Take Care, Robert Taylor On Mon, Nov 18, 2013 at 8:30 AM, Dan McGhee wrote: > At the start here, I want to apologize to those who may be frustrated > with my changing the subject line for this EFI stuff. The subject > appears to be at least a "warm one," if not a "hot one." Therefore, > many things get hidden in the replies. So, in an attempt to keep things > fresh and simple, I just start a new thread. When the time comes, and it > will be quite soon now, I will post the basics of my "how I did it" and, > if people are interested, post what I learned, the reasons why I did > what I did, my conclusions and what I think is left for my future testing. > > I was able to get the kernel to load. That's the good news. The bad > news is that I got a kernel panic. But, as I write this, I'm fixing > that. I have another kernel in the oven. > > Using the kernel's efi-stubs was last on my list of testing. I thought > I knew grub pretty well and didn't know anything about initrd's and > initramfs, and everything that I had read about the efi-stubs included > one of those two. But Geoff's success with his imbedded kernel command > line looked promising so I did it. > > One of the things he cautioned about, and I'm reinforcing now, is to > make sure that all the drivers the kernel needs to boot are either > configured into the kernel or made available on the EFI partition so > that the kernel can load them. That turned out to be my problem. I had > the "ahci" drivers configured as modules, and since the kernel couldn't > load my hard drive, it couldn't mount the filesystem. Here are the > kernel configuration options I used: > > CONFIG_CMDLINE_BOOLEAN=y > CONFIG_CMDLINE="root=/dev/" (=partition containing LFS) > CONFIG_EFI_PARTITION=y > > CONFIG_EFI=y > CONFIG_EFI_STUB=y > CONFIG_FB_EFI=y > > CONFIG_FRAMEBUFFER_CONSOLE=y > > CONFIG_RELOCATABLE=y > > CONFIG_EFI_VARS=n (shows up as "Not Set) > > CONFIG_EFIVAR_FS=y > > > Please note that these are the same as Geoff posted last night with the > exception that he used EFIVARS and not EFIVARFS. I did this because > efivarfs is replacing efivars sometime in the future. > > > Then it's just a matter of getting the kernel to the EFI partition and > getting the entry into the Boot Manager. My EFI partition is mounted at > /boot/efi so it was: > > > mkdir -vp /boot/efi/EFI/lfs-7.4 > cp -v /boot/vmlinuz- /boot/efi/EFI/lfs-7.4/vimliuz- cetera.,efi > > > I don't know if the ".efi" was necessary, but all the files I've seen on > the EFI partition end like that. Geoff gave the command he used for > efibootmgr, but I started using gummiboot, so I did my "gummiboot thing." > > > The result of booting was a kernel panic, but that's farther than I have > gotten since I started doing this research. I can fix a kernel panic. > But the interesting conclusion that I have drawn is that unless GRUB2 is > hacked it won't boot a kernel "in the old way." When I was testing, I > never got my kernel to load and I couldn't load Ubuntu unless I > chainloaded its efi file like I do Windoze. Last night William > Harrington posted a link to the Fedora site regarding grub patches. > There were a lot. Also, let me quote the "FEDORA.README" from that link: > > > > GRUB 2 provides various feature enhancements over the previous GRUB > version > > (referred to as "GRUB", or "GRUB Legacy") which has been unmaintained > upstream > > for years. GRUB has thus been deprecated in Fedora and replaced by GRUB > 2 for > > BIOS systems. (EFI systems still uses GRUB Legacy from the new grub-efi > package.) > > So, Fedora is using grub legacy to boot into an efi environment. The > vast majority of threads I have found at arch-linux, ubuntu, gentoo and > openSuse all talk about not being able to boot other things with GRUB2. > Very few, if any, people complain about their distros not booting. > > I think that if LFS is going to document how to boot using an EFI > partition, then the most stripped down way is with the kernel efi-stubs > and efibootmgr. If someone chooses that option for their system, there > is no need for GRUB2. Multiboot options can be handled either by > efibootmgr, which is the simplest, gummiboot or rEFInd. > > I'm still going to try to find a way to use GRUB2 in this. But, I > have
Re: [lfs-support] Good Results with LFS and EFI
On Nov 18, 2013, at 10:30 AM, Dan McGhee wrote: > I'm still going to try to find a way to use GRUB2 in this. But, I > haven't done any building for my LFS system in almost a month and I > want > to get back to it. I'm going to let this grub stuff grow penicillin > in > my brain for awhile and then try again. Grub2 has made a lot of things very complicated, but the project is also not only working with the i386 platform, it is also working on multiple targets with multiple platforms. arc, coreboot, efi, emu, ieee1275, loongson, multiboot, qemu, qemu- mips, pc: for which target regarding i386, ia64, mips, mipsel, powerpc, sparc64, and x86_64 You may want to give syslinux a go as it may have a healthier efi state. For syslinux you will need the syslinux source, gnu-efi source, and nasm source. I have a guide I updated, but I think it still needs work. I may have got some commands backwards. http://trac.cross-lfs.org/wiki/bootloaders/syslinux Such as IA64 and IA32 going with syslinux and not gnu-efi. I referred to the archlinux wiki for syslinux. I found it a huge pain to even setup grub2 for a serial console to boot. WIth syslinux, was quite simple. It may be the same way with efi and uefi. GRUB2 is okay, but it isn't that great. There are still plenty of headaches out there with it. Although, I am glad it was working partially with sparc64 systems. SIncerely, William Harrington -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
Re: [lfs-support] Good Results with LFS and EFI
On 11/18/2013 10:54 AM, Bruce Dubbs wrote: > > I monitor the grub-devel mailing list and there is a lot of activity > discussing UEFI. This seems to be an important issue. What I'd like to > do is have GRUB load and then be able to load whatever I want to > whatever partition I specify without having to rebuild a kernel every > time. I also like having the command line capability of GRUB. I agree with you. GRUB is a great tool, and I also believe that it's in a state of transition. Using GRUB you can do what you want from the menu except boot your own LFS. :) And, you're right about the kernels. I've spent the majority of two days configuring kernels. yuk. I just wish I knew C so that I could understand what's going on at the dev level of grub. > > Right now I think GRUB on UEFI are really bleeding edge. I can't > participate directly because I don't have the HW but I think your work > is important for LFS. It is, at a minimum, a good transition to what > will end up being a stable solution. > Thanks for the vote of confidence. Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
Re: [lfs-support] Good Results with LFS and EFI
Dan McGhee wrote: > At the start here, I want to apologize to those who may be frustrated > with my changing the subject line for this EFI stuff. The subject > appears to be at least a "warm one," if not a "hot one." Therefore, > many things get hidden in the replies. So, in an attempt to keep things > fresh and simple, I just start a new thread. When the time comes, and it > will be quite soon now, I think that's a good approach. > I will post the basics of my "how I did it" and, > if people are interested, post what I learned, the reasons why I did > what I did, my conclusions and what I think is left for my future testing. > > I was able to get the kernel to load. That's the good news. The bad > news is that I got a kernel panic. But, as I write this, I'm fixing > that. I have another kernel in the oven. > > Using the kernel's efi-stubs was last on my list of testing. I thought > I knew grub pretty well and didn't know anything about initrd's and > initramfs, and everything that I had read about the efi-stubs included > one of those two. But Geoff's success with his imbedded kernel command > line looked promising so I did it. > > One of the things he cautioned about, and I'm reinforcing now, is to > make sure that all the drivers the kernel needs to boot are either > configured into the kernel or made available on the EFI partition so > that the kernel can load them. That turned out to be my problem. I had > the "ahci" drivers configured as modules, and since the kernel couldn't > load my hard drive, it couldn't mount the filesystem. Here are the > kernel configuration options I used: > > CONFIG_CMDLINE_BOOLEAN=y > CONFIG_CMDLINE="root=/dev/" (=partition containing LFS) > CONFIG_EFI_PARTITION=y > > CONFIG_EFI=y > CONFIG_EFI_STUB=y > CONFIG_FB_EFI=y > > CONFIG_FRAMEBUFFER_CONSOLE=y > > CONFIG_RELOCATABLE=y > > CONFIG_EFI_VARS=n (shows up as "Not Set) > > CONFIG_EFIVAR_FS=y > > > Please note that these are the same as Geoff posted last night with the > exception that he used EFIVARS and not EFIVARFS. I did this because > efivarfs is replacing efivars sometime in the future. > > > Then it's just a matter of getting the kernel to the EFI partition and > getting the entry into the Boot Manager. My EFI partition is mounted at > /boot/efi so it was: > > > mkdir -vp /boot/efi/EFI/lfs-7.4 > cp -v /boot/vmlinuz- /boot/efi/EFI/lfs-7.4/vimliuz- cetera.,efi > > > I don't know if the ".efi" was necessary, but all the files I've seen on > the EFI partition end like that. Geoff gave the command he used for > efibootmgr, but I started using gummiboot, so I did my "gummiboot thing." > > > The result of booting was a kernel panic, but that's farther than I have > gotten since I started doing this research. I can fix a kernel panic. > But the interesting conclusion that I have drawn is that unless GRUB2 is > hacked it won't boot a kernel "in the old way." When I was testing, I > never got my kernel to load and I couldn't load Ubuntu unless I > chainloaded its efi file like I do Windoze. Last night William > Harrington posted a link to the Fedora site regarding grub patches. > There were a lot. Also, let me quote the "FEDORA.README" from that link: > > >> GRUB 2 provides various feature enhancements over the previous GRUB version >> (referred to as "GRUB", or "GRUB Legacy") which has been unmaintained >> upstream >> for years. GRUB has thus been deprecated in Fedora and replaced by GRUB 2 for >> BIOS systems. (EFI systems still uses GRUB Legacy from the new grub-efi >> package.) > > So, Fedora is using grub legacy to boot into an efi environment. The > vast majority of threads I have found at arch-linux, ubuntu, gentoo and > openSuse all talk about not being able to boot other things with GRUB2. > Very few, if any, people complain about their distros not booting. > > I think that if LFS is going to document how to boot using an EFI > partition, then the most stripped down way is with the kernel efi-stubs > and efibootmgr. If someone chooses that option for their system, there > is no need for GRUB2. Multiboot options can be handled either by > efibootmgr, which is the simplest, gummiboot or rEFInd. > > I'm still going to try to find a way to use GRUB2 in this. But, I > haven't done any building for my LFS system in almost a month and I want > to get back to it. I'm going to let this grub stuff grow penicillin in > my brain for awhile and then try again. I monitor the grub-devel mailing list and there is a lot of activity discussing UEFI. This seems to be an important issue. What I'd like to do is have GRUB load and then be able to load whatever I want to whatever partition I specify without having to rebuild a kernel every time. I also like having the command line capability of GRUB. Right now I think GRUB on UEFI are really bleeding edge. I can't participate directly because I don't have the HW but I think your work is important for LFS. It is, at a minimum, a good transition t
[lfs-support] Good Results with LFS and EFI
At the start here, I want to apologize to those who may be frustrated with my changing the subject line for this EFI stuff. The subject appears to be at least a "warm one," if not a "hot one." Therefore, many things get hidden in the replies. So, in an attempt to keep things fresh and simple, I just start a new thread. When the time comes, and it will be quite soon now, I will post the basics of my "how I did it" and, if people are interested, post what I learned, the reasons why I did what I did, my conclusions and what I think is left for my future testing. I was able to get the kernel to load. That's the good news. The bad news is that I got a kernel panic. But, as I write this, I'm fixing that. I have another kernel in the oven. Using the kernel's efi-stubs was last on my list of testing. I thought I knew grub pretty well and didn't know anything about initrd's and initramfs, and everything that I had read about the efi-stubs included one of those two. But Geoff's success with his imbedded kernel command line looked promising so I did it. One of the things he cautioned about, and I'm reinforcing now, is to make sure that all the drivers the kernel needs to boot are either configured into the kernel or made available on the EFI partition so that the kernel can load them. That turned out to be my problem. I had the "ahci" drivers configured as modules, and since the kernel couldn't load my hard drive, it couldn't mount the filesystem. Here are the kernel configuration options I used: CONFIG_CMDLINE_BOOLEAN=y CONFIG_CMDLINE="root=/dev/" (=partition containing LFS) CONFIG_EFI_PARTITION=y CONFIG_EFI=y CONFIG_EFI_STUB=y CONFIG_FB_EFI=y CONFIG_FRAMEBUFFER_CONSOLE=y CONFIG_RELOCATABLE=y CONFIG_EFI_VARS=n (shows up as "Not Set) CONFIG_EFIVAR_FS=y Please note that these are the same as Geoff posted last night with the exception that he used EFIVARS and not EFIVARFS. I did this because efivarfs is replacing efivars sometime in the future. Then it's just a matter of getting the kernel to the EFI partition and getting the entry into the Boot Manager. My EFI partition is mounted at /boot/efi so it was: mkdir -vp /boot/efi/EFI/lfs-7.4 cp -v /boot/vmlinuz- /boot/efi/EFI/lfs-7.4/vimliuz- GRUB 2 provides various feature enhancements over the previous GRUB version > (referred to as "GRUB", or "GRUB Legacy") which has been unmaintained upstream > for years. GRUB has thus been deprecated in Fedora and replaced by GRUB 2 for > BIOS systems. (EFI systems still uses GRUB Legacy from the new grub-efi > package.) So, Fedora is using grub legacy to boot into an efi environment. The vast majority of threads I have found at arch-linux, ubuntu, gentoo and openSuse all talk about not being able to boot other things with GRUB2. Very few, if any, people complain about their distros not booting. I think that if LFS is going to document how to boot using an EFI partition, then the most stripped down way is with the kernel efi-stubs and efibootmgr. If someone chooses that option for their system, there is no need for GRUB2. Multiboot options can be handled either by efibootmgr, which is the simplest, gummiboot or rEFInd. I'm still going to try to find a way to use GRUB2 in this. But, I haven't done any building for my LFS system in almost a month and I want to get back to it. I'm going to let this grub stuff grow penicillin in my brain for awhile and then try again. Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
