On 11/27/2013 11:14 AM, Rob Taylor wrote: > Hi Dan, > I was wondering how it was going with secure boot and LFS? > > I have reached the 6.48. GRUB-2.00 stage of my re-build of LFS 7.4 > using my new scripts and wrappers. > > For this stage, since I already have secure boot disabled and am > booting the traditional way, I think I will > just follow the LFS book. But you have inspired me to look into this > issue. I may develop a system to enable > booting from either the BIOS or the Unified Extensible Firmware > Interface, depending on what the computer has. > > I do not recall if one of the references you mentioned included this link? > http://www.rodsbooks.com/efi-bootloaders/secureboot.html > > It shows a couple of different ways to sign your own binaries etc.. I've been caught up in getting X to work in my new build and haven't kept up on my correspondence. All is great so I can get back to my testing with UEFI. I might have to do another LFS build to do that, however, because my current one has more stuff on it than need for a "minimal" effort. For example, before I learned about efivarfs, I installed gummiboot. I really like it.
If you install GRUB2 in "BIOS Mode," it will write its images to the "MBR Protected Layer" of your disk. I do not know how to remove it from there once you change your mind. It might even interfere with your UEFI testing. My recommendation, if it fits your purposes and while you are experimenting, is to use the efi-stubs on the kernel and use efibootmgr to make an entry in your system boot manager. And, yes, I'm familiar with the information in "rodsbooks." I refreshed my memory on that particular page. With what I have found and the speed with which all this stuff is evolving, that page might be a little dated. I'm sure it will work, but I think there is an "up and coming" application so that you don't have to depend on someone else's key and some distro's "shim" file. I encourage you to search for and find "efitools." I think the current version is 1.4 which was published just in March. In it is the ability to edit the EFI variables, including the secure ones. If I read the supporting documentation correctly, you can generate your own key and register it with the firmware. I think that's going to be the way to get GRUB2 to work. I think that the situation now is that GRUB2 does a great job at being a boot loader--as it always has. To maintain its capabilities it needs to morph to a boot manager too. I'm almost finished with my write up on getting LFS to boot with the kernel efi-stubs. @Rob--I didn't know if you intended this for off-list or not, so you're going to get two. Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
