08.12.2016 20:34, Andrei Borzenkov пишет: > 08.12.2016 18:50, Giovanni Santini пишет: >> Il 08/12/2016 15:05, Andrei Borzenkov ha scritto: >>> >>> Well, I do not know about Arch, but Ubuntu is using patch similar to >>> openSUSE, which means - it REQUIRES shim. Patch replaces default >>> chainloader command with one that calls shim and fails if it cannot do >>> it. It should have provided additional one, chainloaderefi similar to >>> linuxefi, instead. >>> >> >> I see... >> From what I know, shim is not provided by ArchLinux. The suggested way >> for Secure Boot is to use Linux Foundation PreLoader and HashTool. >> From our discussion, I understood that using PreLoader doesn't involve >> running it again. >> So, the only needed thing to fix is the 'chainloader' command so that it >> can read UEFI binaries even under Secure Boot (or provide a new one like >> 'chainloaderefi'), if I understood correctly. > > If you are using Linux Foundation chainloader I expect normal GRUB > chainloader command to work. Do you have pointers to preloader binary > you are using? I am actually interested in testing it as alternate way > of providing secure boot support in GRUB. > >> Not sure else how to make PreLoader load other UEFI files else, as it >> tries automatically to load the binary called 'loader.efi'. >> > > You should only need to load main GRUB binary. Do you have pointers to > Arch package and patches it uses? >
I tested LF preloader in QEMU using OVMF with MS keys (extracted from openSUSE package), preloader from this link http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/, bootmgfw.efi and current grub git. I created standalone GRUB binary using grub-mkstandalone (simply to avoid need to install it on loop device), copied PreLoader as \EFI\BOOT\BOOTX64.EFI, HashTool.EFI and grub binary as \EFI\BOOT\loader.efi. Started emulation, got prompt from PreLoader, enrolled grub^Wloader.efi hash, rebooted into GRUB CLI and successfully booted into bootmgfw.efi using set root=hd0 chainloader \efi\boot\bootmgfw.efi boot Of course I was greeted by error screen but this is different story. So I can confirm that vanilla grub under LF preloder is capable of launching signed EFI executable. _______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
