help-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot


From: Mat Troi
Subject: Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot
Date: Sat, 5 Dec 2015 09:12:17 -0800

On Fri, Dec 4, 2015 at 11:21 PM, Andrei Borzenkov <address@hidden> wrote:
05.12.2015 10:01, Mat Troi пишет:
> On Fri, Dec 4, 2015 at 10:23 PM, Andrei Borzenkov <address@hidden>
> wrote:
>
>> 05.12.2015 06:25, Mat Troi пишет:
>>> Hi,
>>>
>>> Sorry if the info I gave is vague, I am trying to learn how would Secure
>>> Boot work with GRUB2.  I am not sure how much information is appropriate,
>>> but here goes:
>>>
>>> On my EFI installed system, grub is built with embedded load.cfg,
>> load.cfg
>>> has the following content:
>>> search.fs_uuid 123f09d21237f123 root
>>> set prefix=($root)/boot/grub/efi
>>>
>>> From what I read in the manual, this will set up the root and prefix
>> during
>>> booting.
>>>
>>> So for Secure Boot, I need to make a signed GRUB2.  The signed GRUB2
>> needs
>>> to be generic because it is only signed once in production.
>>
>> If you will sign it yourself, what prevents you from signing it every time?
>>
> Because it is only signed one time on a special server and then that one
> copy will be given out to users.  It would be a lot of work to have to sign
> every copy of GRUB2 every time.
>
>>
>>>  So this means
>>> I cannot embed a configuration file with UUID number as the UUID changes
>>> per system installation.
>>>
>>
>> Distributions solve it by making signed image to use config file in the
>> same directory image was loaded from; this config file can then be
>> changed for each system as it is not part of image itself.
>>
> I am confused.  So do you mean distributions make an image without the
> config file, sign the image, then place it in the same directory as the
> config file?  If so, how to tell the image to use the config file in the
> same directory?
>

Did you try to look at Fedora, Debian, Ubuntu, openSUSE how they create
it? Or do you have specific reasons to reinvent the wheel? :)

But anyway, in EFI loaded image can ask firmware about path it was
loaded from. If GRUB prefix is empty at startup, it will be set to this
path. Otherwise it will be available as $cmdpath variable.
I looked at Ubuntu, and it has this for building the bootloader.

"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
        -d "$grub_core" $GRUB_MODULES

There is no embedded configuration file in their grub-mkimage above.  I installed ubuntu to get information about the grub.cfg and it looks like on ubuntu the grub.cfg and grubx64.efi lives in the same location.  On our system, grubx64.efi lives in the esp, and grub.cfg lives in the partition.  grubx64.efi is built with an embedded configuration, and the embedded configuration has the UUID info and sets the root and prefix.  For the secured bootloader image, that information won't be available to me so I need a way to find and set root somehow.

This is what I am seeing on our system currently:
grub> echo $cmdpath

grub> echo $root
hd1,gpt1
grub> ls ($root)/
efi/

Looks like $cmdpath is empty and $root is pointing to the ESP, since grubx64.efi lives in the ESP.


>>> You mention "unique name".  Is there anyway I can create the name myself?
>>
>> `touch' command comes in mind :)
>>
> Duh, I mis-read your comment ;)  So if I create a unique file, how do I
> search for it?  Can I name it myself or grub will name it?
>

search --file

>>
>>> How to hardcode partition number?
>>>
>>
>> Set prefix to something like
>>
>> (,gpt15)/boot/grub
>>
> Silly question - do I have to have the (,gpt15)?  Can I just set prefix to
> "/boot/grub"?
>

In this case disk part will be set to partition GRUB was loaded from.
Sorry, now I have to ask - do you know how EFI boot works?
I am a beginner with EFI, what I learned so far is when the system boots the UEFI entry, the system boots the bootloader from the specific partition on the specific disk as indicated in the UEFI boot entry.  Is that incorrect?  Now I just learned "disk part will be set to partition GRUB was loaded from"  thanks :)

Is it one ESP per disk or that would depend on the distribution?

>>
>> Disk part will be filled at run time with disk name GRUB was booted from
>> (i.e. where ESP is located) resulting in e.g.
>>
>> (hd2,gpt15)/boot/grub
>>
>> Of course it works only if ESP is located on the same disk as GRUB
>> prefix. Or you can simply install full grub on ESP and always have it
>> available.
>>
> I did not know there is full grub and partial grub.  What is the different
> and how to tell what I currently have on my system?


Sorry, where have I wrote anything about "full" or "partial" GRUB?
You wrote "Or you can simply install full grub on ESP". Can you clarify?  Do you mean install GRUB2 image, modules, scripts, config, etc. on the ESP of that disk instead of elsewhere?

So I copied the grub.cfg from the partition to the ESP, so now the ESP has both the signed grubx64.efi.  The signed grubx64.efi is built with embedded config "normal ($root)//efi/oracle/grub.cfg" (using the copied grub.cfg in the ESP), and this seems to work, is there a better way to do this?

>
> Thanks.
>
>>
>>> Thanks,
>>> Mat
>>>
>>> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden>
>> wrote:
>>>
>>>> On Fri, Dec 4, 2015 at 7:27 AM, Mat Troi <address@hidden> wrote:
>>>>> I am building the signed grub myself.  I guess the question is how to
>>>> search
>>>>> for the root device without using uuid?  I tried search.fs_label grub
>>>> root
>>>>> and the system returns error: no such device: grub.
>>>>>
>>>>
>>>> Well, you can find only what is available. As you do not provide any
>>>> information about your environment and configuration I can only guess
>>>> that no filesystem accessible to GRUB has label "grub".
>>>>
>>>> If not UUID, you can search by label or can search for specific file
>>>> name. That is what grub-install does anyway if UUIDs are not reliable
>>>> - it creates file with unique name and searches for it.
>>>>
>>>> Or you can simply hardcode partition number.
>>>>
>>>> But I guess all  above was already known, in which case you are better
>>>> ask real question you want to know :)
>>>>
>>>>>
>>>>> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden>
>>>> wrote:
>>>>>>
>>>>>> 03.12.2015 22:59, Mat Troi пишет:
>>>>>>> Hi,
>>>>>>>
>>>>>>> If using sign grub for Secure Boot, I cannot use search_fsuuid in the
>>>>>>> configuration for grub as the uuid is different.  Is there a way to
>>>>>>> write a
>>>>>>> configuration that will let me find the current UEFI boot and set
>> that
>>>>>>> as
>>>>>>> root?  Or is there a way to set root not using search_fsuuid?
>>>>>>>
>>>>>>
>>>>>> It is really the question to your distribution - what it put into
>> signed
>>>>>> GRUB image. But those distributions I am aware of include `search'
>>>>>> command ...
>>>>
>>>
>>
>>
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]