|
From: | Mat Troi |
Subject: | Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot |
Date: | Fri, 4 Dec 2015 23:01:14 -0800 |
05.12.2015 06:25, Mat Troi пишет:
> Hi,
>
> Sorry if the info I gave is vague, I am trying to learn how would Secure
> Boot work with GRUB2. I am not sure how much information is appropriate,
> but here goes:
>
> On my EFI installed system, grub is built with embedded load.cfg, load.cfg
> has the following content:
> search.fs_uuid 123f09d21237f123 root
> set prefix=($root)/boot/grub/efi
>
> From what I read in the manual, this will set up the root and prefix during
> booting.
>
> So for Secure Boot, I need to make a signed GRUB2. The signed GRUB2 needs
> to be generic because it is only signed once in production.
If you will sign it yourself, what prevents you from signing it every time?
> So this means
> I cannot embed a configuration file with UUID number as the UUID changes
> per system installation.
>
Distributions solve it by making signed image to use config file in the
same directory image was loaded from; this config file can then be
changed for each system as it is not part of image itself.
> You mention "unique name". Is there anyway I can create the name myself?
`touch' command comes in mind :)
> Is there anyway I can use uuid with "hint"?
>
No. How would it be useful anyway?
> How to hardcode partition number?
>
Set prefix to something like
(,gpt15)/boot/grub
Disk part will be filled at run time with disk name GRUB was booted from
(i.e. where ESP is located) resulting in e.g.
(hd2,gpt15)/boot/grub
Of course it works only if ESP is located on the same disk as GRUB
prefix. Or you can simply install full grub on ESP and always have it
available.
> Thanks,
> Mat
>
> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden> wrote:
>
>> On Fri, Dec 4, 2015 at 7:27 AM, Mat Troi <address@hidden> wrote:
>>> I am building the signed grub myself. I guess the question is how to
>> search
>>> for the root device without using uuid? I tried search.fs_label grub
>> root
>>> and the system returns error: no such device: grub.
>>>
>>
>> Well, you can find only what is available. As you do not provide any
>> information about your environment and configuration I can only guess
>> that no filesystem accessible to GRUB has label "grub".
>>
>> If not UUID, you can search by label or can search for specific file
>> name. That is what grub-install does anyway if UUIDs are not reliable
>> - it creates file with unique name and searches for it.
>>
>> Or you can simply hardcode partition number.
>>
>> But I guess all above was already known, in which case you are better
>> ask real question you want to know :)
>>
>>>
>>> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden>
>> wrote:
>>>>
>>>> 03.12.2015 22:59, Mat Troi пишет:
>>>>> Hi,
>>>>>
>>>>> If using sign grub for Secure Boot, I cannot use search_fsuuid in the
>>>>> configuration for grub as the uuid is different. Is there a way to
>>>>> write a
>>>>> configuration that will let me find the current UEFI boot and set that
>>>>> as
>>>>> root? Or is there a way to set root not using search_fsuuid?
>>>>>
>>>>
>>>> It is really the question to your distribution - what it put into signed
>>>> GRUB image. But those distributions I am aware of include `search'
>>>> command ...
>>
>
[Prev in Thread] | Current Thread | [Next in Thread] |