[Feature Request] GRUB 2.04 for PBA? #301
Comments
|
I'm currently working through the process of updating the buildroot part of buildpbaroot to use a more recent buildroot target/version (currently 2017.05.1, I'm trying as a first step to get to 2018.08.4). My first need is to try to fix or workaround an issue specific to Dell Optiplex XE2 (loses USB after booting the current 4.11 kernel in linuxpba-UEFI64 ) so I'm trying to get to a newer 4.14 LTS or 4.19 LTS Linux kernel. Once that's done, though, one of my other "next needs" is Secure Boot support, and I agree that GRUB 2.x is probably a better way to get there than current syslinux 6.0.3 from 2014. (Supporting data at this page https://www.rodsbooks.com/efi-bootloaders/syslinux.html - basically even if a syslinux binary gets signed to be bootable by Secure Boot it won't correctly pass things along to the kernel.) The bad news is that right now DTA/r0m30 don't seem to be actively maintaining the code so feel free to jump in and start trying to test/integrate new features... |
|
Thanks for input!
Yepp, already saw that. But it looks like the issue tracker here is still beeing used as some sort of communication platform. @ckamm and @ladar seem to have quite advanced forks.
I wasn't aware of them, thanks for the links! |
|
I just created an issue regarding the @ckamm fork and others. They are mostly undocumented, the initialization process is not properly detailed, and there are other potential issues. I would suggest not using or basing your work on them until that is resolved. They lack both wikis and issue trackers, and this is the wrong place for people to come reporting problems with those forks. |
|
@ladar's fork actually ameliorates this, so I would suggest using that if he has documented the changes applied. |
|
Two updates:
Since I needed a UEFI64 Rescue ISO anyway, I decided to use the ISO as a proof-of-concept for UEFI bootable grub-2.04 that might also support Secure Boot without additional signing or certs for the average user. However, I've not been able (yet) to fully test the Secure Boot support. |
Secure Boot Available NowIf you are on a supported Linux distribution and you have installed Grub 2 with UEFI, you're probably just four easy steps away from a fully functional PBA supporting secure boot via Grub 2 (and more):
You should be good to go! If you happen to be on Ubuntu and if you'd use my latest pull request (to be merged shortly), you'd also get a nice graphical user interface for disk unlocking. Here is a User Guide for the TCG Opal 2 support in ReaR. Ah, and of course you'll get a fully featured disaster recovery system as well, since this is what ReaR is about. |
|
Hi, |
|
@MrPumo |
|
Ok. Solved.. I wrongly pushed ISO to usb instead of RAW. Following your linked instruction it means is no more need to include in local.conf |
|
If I remember correctly, you still need |
|
well... I've not such entry and rescue properly generate a secureboot signed PBA..
|
|
Will look at this, too. Thanks for the hint. Good to hear that it finally works for you. Enjoy! |
|
Hi, I'm sorry.. I was wrong. As you told you have to add etc/rear/local.conf also |
|
OK, thanks for the feedback! |
|
Continued here: rear/rear#2511 |
Improved TCG Opal 2 documentation doc/user-guide/13-tcg-opal-support.adoc cf. #2511 Better explained OS installation according to the suggestion in Drive-Trust-Alliance/sedutil#301 (comment) Additionally some information from an article on Ask Ubuntu are included https://askubuntu.com/a/1271171/1120528
|
Continuing this concept, was anyone able to create a non-rear bootloader with Grub to load sedutil (with secure boot enabled). |
|
This is ReaR. Probably not the right place to ask for non-ReaR stuff. |
|
@OliverO2 this is the sedutil issues section (not rear). |
|
@ChubbyAnt Ah, sorry, my fault. As far as I am aware, ReaR is currently the only solution available for unlocking SEDs in conjunction with Secure Boot and will probably remain so for some time. This is probably due to the fact that you need
Ready-made low-footprint Linux distributions such as TinyCore or Alpine lack Secure Boot support. Full-blown distributions need to be stripped down properly, which is what ReaR does. |
|
Reading the thread above, it looks like people were working on either using Grub or rear as a bootloader template to then directly load sedutil. Curious if there was any success on those projects. |
|
Hmm, I'm the one who created the ReaR PBA stuff. ReaR is a disaster recovery tool, which creates a bootable medium from a stripped-down version of your normal Linux distribution. You cannot directly execute sedutil from Grub. sedutil needs a proper operating system to run on, with disk device support, console output support, keyboard support, etc. |
|
@OliverO2 in the rear PBA aren't you just masking commands to sedutil-cli to use sedutil to unlock the SED? Can't we just strip out all of the rear stuff and let sedutil-cli stand on its own (unmasked) using the rear bootloader (to take advantage of the rear secure boot capability)? |
|
That's a gross misconception. There is no "ReaR bootloader". For Secure Boot, Grub 2 is used, which then boots up a Linux kernel, which acts as a platform to run
|
|
i cant able to copy PBA image in my Linux system (Ubuntu 18.0). i have already given all the permission to it but no success. Is there any dependency file for PBA image |
|
Have you tried using Sudo? Sometimes I've run into issues as well and Sudo has fixed them. I think it's probably related to the partition being an ESP.  |
Hi,
in GRUB 2.04 changelog, the following caught my attention:
If SYSLINUX in PBA would be replaced by GRUB 2.04, would UEFI Secure Boot be a possibility? Also, it looks like there is a TPM driver now. Maybe PR #86 could benefit from this.
Any thoughts?
Source: https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.04&id=2a2e10c1b39672de3d5da037a50d5c371f49b40d
The text was updated successfully, but these errors were encountered: