Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot

[Andrei Borzenkov]

05.12.2015 20:12, Mat Troi пишет:
> On Fri, Dec 4, 2015 at 11:21 PM, Andrei Borzenkov <address@hidden>
> wrote:
> 
>> 05.12.2015 10:01, Mat Troi пишет:
>>> On Fri, Dec 4, 2015 at 10:23 PM, Andrei Borzenkov <address@hidden>
>>> wrote:
>>>
>>>> 05.12.2015 06:25, Mat Troi пишет:
>>>>> Hi,
>>>>>
>>>>> Sorry if the info I gave is vague, I am trying to learn how would
>> Secure
>>>>> Boot work with GRUB2.  I am not sure how much information is
>> appropriate,
>>>>> but here goes:
>>>>>
>>>>> On my EFI installed system, grub is built with embedded load.cfg,
>>>> load.cfg
>>>>> has the following content:
>>>>> search.fs_uuid 123f09d21237f123 root
>>>>> set prefix=($root)/boot/grub/efi
>>>>>
>>>>> From what I read in the manual, this will set up the root and prefix
>>>> during
>>>>> booting.
>>>>>
>>>>> So for Secure Boot, I need to make a signed GRUB2.  The signed GRUB2
>>>> needs
>>>>> to be generic because it is only signed once in production.
>>>>
>>>> If you will sign it yourself, what prevents you from signing it every
>> time?
>>>>
>>> Because it is only signed one time on a special server and then that one
>>> copy will be given out to users.  It would be a lot of work to have to
>> sign
>>> every copy of GRUB2 every time.
>>>
>>>>
>>>>>  So this means
>>>>> I cannot embed a configuration file with UUID number as the UUID
>> changes
>>>>> per system installation.
>>>>>
>>>>
>>>> Distributions solve it by making signed image to use config file in the
>>>> same directory image was loaded from; this config file can then be
>>>> changed for each system as it is not part of image itself.
>>>>
>>> I am confused.  So do you mean distributions make an image without the
>>> config file, sign the image, then place it in the same directory as the
>>> config file?  If so, how to tell the image to use the config file in the
>>> same directory?
>>>
>>
>> Did you try to look at Fedora, Debian, Ubuntu, openSUSE how they create
>> it? Or do you have specific reasons to reinvent the wheel? :)
>>
>> But anyway, in EFI loaded image can ask firmware about path it was
>> loaded from. If GRUB prefix is empty at startup, it will be set to this
>> path. Otherwise it will be available as $cmdpath variable.
>>
> I looked at Ubuntu, and it has this for building the bootloader.
> 
> "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
>         -d "$grub_core" $GRUB_MODULES
> 
> There is no embedded configuration file in their grub-mkimage above.  I
> installed ubuntu to get information about the grub.cfg and it looks like on
> ubuntu the grub.cfg and grubx64.efi lives in the same location.  On our
> system, grubx64.efi lives in the esp, and grub.cfg lives in the partition.

Same in Ubuntu.

> grubx64.efi is built with an embedded configuration, and the embedded
> configuration has the UUID info and sets the root and prefix.  For the
> secured bootloader image, that information won't be available to me so I
> need a way to find and set root somehow.
> 

You misunderstand. grub.cfg in ESP exists only to find "other" grub.cfg.
It exists in ESP because it is the only location that is guaranteed to
be known to GRUB when it is loaded.

Look at any Linux with secure boot and grub2 at the content of grub.cfg
in ESP. Take some time to actually learn how bootloader configuration is
done in this case.

> This is what I am seeing on our system currently:
> grub> echo $cmdpath
> 
> grub> echo $root
> hd1,gpt1
> grub> ls ($root)/
> efi/
> 
> Looks like $cmdpath is empty and $root is pointing to the ESP, since
> grubx64.efi lives in the ESP.
> 

I hoped your grub is not *that* old.

> 
>>>>> You mention "unique name".  Is there anyway I can create the name
>> myself?
>>>>
>>>> `touch' command comes in mind :)
>>>>
>>> Duh, I mis-read your comment ;)  So if I create a unique file, how do I
>>> search for it?  Can I name it myself or grub will name it?
>>>
>>
>> search --file
>>
>>>>
>>>>> How to hardcode partition number?
>>>>>
>>>>
>>>> Set prefix to something like
>>>>
>>>> (,gpt15)/boot/grub
>>>>
>>> Silly question - do I have to have the (,gpt15)?  Can I just set prefix
>> to
>>> "/boot/grub"?
>>>
>>
>> In this case disk part will be set to partition GRUB was loaded from.
>> Sorry, now I have to ask - do you know how EFI boot works?
>>
> I am a beginner with EFI, what I learned so far is when the system boots
> the UEFI entry, the system boots the bootloader from the specific partition
> on the specific disk as indicated in the UEFI boot entry.  Is that
> incorrect?  Now I just learned "disk part will be set to partition GRUB was
> loaded from"  thanks :)
> 

GRUB must know its $root and $prefix. It always tries to detect them
when booted. Drive part is usually present on all platforms. Partition
may not be available (e.g. BIOS has not standard way to pass this
information). Even less platforms provide path to binary (EFI and
probably Open Boot).

> Is it one ESP per disk or that would depend on the distribution?
> 

Distributions are using whatever you have mounted on /boot/efi. Usually
one ESP is used, but nothing in EFI itself prohibits having more than one.

>>
>>>>
>>>> Disk part will be filled at run time with disk name GRUB was booted from
>>>> (i.e. where ESP is located) resulting in e.g.
>>>>
>>>> (hd2,gpt15)/boot/grub
>>>>
>>>> Of course it works only if ESP is located on the same disk as GRUB
>>>> prefix. Or you can simply install full grub on ESP and always have it
>>>> available.
>>>>
>>> I did not know there is full grub and partial grub.  What is the
>> different
>>> and how to tell what I currently have on my system?
>>
>>
>> Sorry, where have I wrote anything about "full" or "partial" GRUB?
>>
> You wrote "Or you can simply install full grub on ESP". Can you clarify?
> Do you mean install GRUB2 image, modules, scripts, config, etc. on the ESP
> of that disk instead of elsewhere?
> 

Yes, exactly. If you have GRUB binary under \EFI\mat\grubx64.efi, then -
unless you set something different when creating image - $prefix will by
default point to \EFI\mat and you just need to have grub.cfg there. You
can also install modules under \EFI\mat\x86_64-efi, you can install
themes under \EFI\mat\themes etc.

Although note that common patches to enable secure boot in grub2 disable
external modules loading as security measure.

> So I copied the grub.cfg from the partition to the ESP, so now the ESP has
> both the signed grubx64.efi.  The signed grubx64.efi is built with embedded
> config "normal ($root)//efi/oracle/grub.cfg" (using the copied grub.cfg in
> the ESP), and this seems to work, is there a better way to do this?
> 

As I already told you your grub.cfg in ESP can find your "main"
partition and load config file from there. That is what all distros do.
But they do it mostly to not have special EFI case, so bootloader
configuration just needs to care about single location. If you do
everything from scratch and manually, having ESP as standard place is
just as good.