[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot

From: Mat Troi
Subject: Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot
Date: Fri, 4 Dec 2015 23:01:14 -0800

On Fri, Dec 4, 2015 at 10:23 PM, Andrei Borzenkov <address@hidden> wrote:
05.12.2015 06:25, Mat Troi пишет:
> Hi,
> Sorry if the info I gave is vague, I am trying to learn how would Secure
> Boot work with GRUB2.  I am not sure how much information is appropriate,
> but here goes:
> On my EFI installed system, grub is built with embedded load.cfg, load.cfg
> has the following content:
> search.fs_uuid 123f09d21237f123 root
> set prefix=($root)/boot/grub/efi
> From what I read in the manual, this will set up the root and prefix during
> booting.
> So for Secure Boot, I need to make a signed GRUB2.  The signed GRUB2 needs
> to be generic because it is only signed once in production.

If you will sign it yourself, what prevents you from signing it every time?
Because it is only signed one time on a special server and then that one copy will be given out to users.  It would be a lot of work to have to sign every copy of GRUB2 every time.

>  So this means
> I cannot embed a configuration file with UUID number as the UUID changes
> per system installation.

Distributions solve it by making signed image to use config file in the
same directory image was loaded from; this config file can then be
changed for each system as it is not part of image itself.
I am confused.  So do you mean distributions make an image without the config file, sign the image, then place it in the same directory as the config file?  If so, how to tell the image to use the config file in the same directory?
> You mention "unique name".  Is there anyway I can create the name myself?

`touch' command comes in mind :)
Duh, I mis-read your comment ;)  So if I create a unique file, how do I search for it?  Can I name it myself or grub will name it?

> Is there anyway I can use uuid with "hint"?

No. How would it be useful anyway?
Never mind, I was reading this post on search with hint and thought it might be useful.

> How to hardcode partition number?

Set prefix to something like

Silly question - do I have to have the (,gpt15)?  Can I just set prefix to "/boot/grub"?

Disk part will be filled at run time with disk name GRUB was booted from
(i.e. where ESP is located) resulting in e.g.


Of course it works only if ESP is located on the same disk as GRUB
prefix. Or you can simply install full grub on ESP and always have it
I did not know there is full grub and partial grub.  What is the different and how to tell what I currently have on my system?


> Thanks,
> Mat
> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden> wrote:
>> On Fri, Dec 4, 2015 at 7:27 AM, Mat Troi <address@hidden> wrote:
>>> I am building the signed grub myself.  I guess the question is how to
>> search
>>> for the root device without using uuid?  I tried search.fs_label grub
>> root
>>> and the system returns error: no such device: grub.
>> Well, you can find only what is available. As you do not provide any
>> information about your environment and configuration I can only guess
>> that no filesystem accessible to GRUB has label "grub".
>> If not UUID, you can search by label or can search for specific file
>> name. That is what grub-install does anyway if UUIDs are not reliable
>> - it creates file with unique name and searches for it.
>> Or you can simply hardcode partition number.
>> But I guess all  above was already known, in which case you are better
>> ask real question you want to know :)
>>> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden>
>> wrote:
>>>> 03.12.2015 22:59, Mat Troi пишет:
>>>>> Hi,
>>>>> If using sign grub for Secure Boot, I cannot use search_fsuuid in the
>>>>> configuration for grub as the uuid is different.  Is there a way to
>>>>> write a
>>>>> configuration that will let me find the current UEFI boot and set that
>>>>> as
>>>>> root?  Or is there a way to set root not using search_fsuuid?
>>>> It is really the question to your distribution - what it put into signed
>>>> GRUB image. But those distributions I am aware of include `search'
>>>> command ...

reply via email to

[Prev in Thread] Current Thread [Next in Thread]