Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 22 Aug 2014, 23:48
All times are UTC - 4
 Forum index » Taking the Puppy out for a walk » Misc
Linux Foundation UEFI Secure Boot System for Open Source
Moderators: Flash, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [19 Posts]   Goto page: 1, 2 Next
Author Message
Dingo


Joined: 11 Dec 2007
Posts: 1415
Location: somewhere at the end of rainbow...

PostPosted: Fri 12 Oct 2012, 08:28    Post subject:  Linux Foundation UEFI Secure Boot System for Open Source
Subject description: how can this be applied to puppy?
 

Today I read that Linux Foundation found the way to bypass the EVIL UEFI

http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source

but, concretely, how can be this applied to Puppy? E.g. if I want to boot my good old BELOVED Cool Puppy 3.01 from live cd on a pc with the EVIL UEFI, I'm constrained to looking for a way to disabling UEFI manually or I can use this workaround in some way?

_________________
replace .co.cc with .info to get access to stuff I posted in forum
dropbox 2GB free
OpenOffice for Puppy Linux
Back to top
View user's profile Send private message Visit poster's website 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Sun 14 Oct 2012, 08:27    Post subject:  

I don't know much about uefi, other than its evil 'restricted boot' Evil or Very Mad which is so much talked about.

Cloned the repository and tried to build it anyways:
Code:

# git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Cloning into efitools...
remote: Counting objects: 321, done.
remote: Compressing objects: 100% (320/320), done.
remote: Total 321 (delta 203), reused 0 (delta 0)
Receiving objects: 100% (321/321), 83.79 KiB | 7 KiB/s, done.
Resolving deltas: 100% (203/203), done.
# cd efitools/
# make
cc -I/initrd/mnt/dev_save/Documents/akash/software/boot/uefi_secure_boot_system/efitools/include/ -I/usr/include/efi -I/usr/include/efi/i686 -I/usr/include/efi/protocol -O2 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -mno-red-zone -fno-stack-protector -DCONFIG_i686 -c HelloWorld.c -o HelloWorld.o
HelloWorld.c:5:17: fatal error: efi.h: No such file or directory
compilation terminated.
make: *** [HelloWorld.o] Error 1
#

but without success. Anyone knows what sort of development libs we need?

btw I myself don't know what I was doing, Laughing I have no idea what I will do with built binaries if I ever succeed, just hoping to learn on the way.

I have no devices to test, I'm hoping to find an emulator again Wink
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Sun 14 Oct 2012, 09:08    Post subject:  

This blog try to explain options?
http://blog.hansenpartnership.com/linux-foundation-uefi-secure-boot-system-for-open-source/

Lot of links in it and comments of policy and such.

Re hardware one would need to have lists on what new computers
that have implemented this in ways that makes it hard to frugal install
Puppy on it or even to start up a CD/DVD?

One can not expect the Devs of Puppy to buy each new computer
so we need volunteers that visit friends with brand new computers
and them taking a DVD and USB with frugal Puppy on it and
boot and report what the screen give error message and relate
that to what UEFI version and from which vendor and hardware
company and BIOS used and so on. Sisyphos something

Sad if one buy a new computer for say 500USD only to realise
it is impossible to boot Puppy on it Smile

We have a lot of feedback over here too. UEFI Madness but less structured
http://www.murga-linux.com/puppy/viewtopic.php?t=78695

I have now two old Desktops say 3 years and older and I have
one Laptop from 2005 and one Netbook Asus from 1009?
and two Acer Netbooks from 2010? sp all of these are too old
for to have UEFI on them.

Re hardware to test on
Having 6 computers already with Puppy on them in working conditions
Sure I have the money but not the motivation to throw them on a new one.

I don't feel for buying anything new unless it is ARM USB things
that cost 50 USD or so but they don't have UEFI them are locked to
Android most of the time and that one have HDMI connection
which only my TV set have Smile

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9040
Location: Stratford, Ontario

PostPosted: Sun 14 Oct 2012, 09:54    Post subject:  

nooby wrote:
Sad if one buy a new computer for say 500USD only to realise it is impossible to boot Puppy on it


One test you would want to run is here.
Back to top
View user's profile Send private message 
Dingo


Joined: 11 Dec 2007
Posts: 1415
Location: somewhere at the end of rainbow...

PostPosted: Sun 14 Oct 2012, 12:06    Post subject:  

akash_rawal wrote:
I don't know much about uefi, other than its evil 'restricted boot' Evil or Very Mad which is so much talked about.

Cloned the repository and tried to build it anyways:
Code:

# git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Cloning into efitools...
remote: Counting objects: 321, done.
remote: Compressing objects: 100% (320/320), done.
remote: Total 321 (delta 203), reused 0 (delta 0)
Receiving objects: 100% (321/321), 83.79 KiB | 7 KiB/s, done.
Resolving deltas: 100% (203/203), done.
# cd efitools/
# make
cc -I/initrd/mnt/dev_save/Documents/akash/software/boot/uefi_secure_boot_system/efitools/include/ -I/usr/include/efi -I/usr/include/efi/i686 -I/usr/include/efi/protocol -O2 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -mno-red-zone -fno-stack-protector -DCONFIG_i686 -c HelloWorld.c -o HelloWorld.o
HelloWorld.c:5:17: fatal error: efi.h: No such file or directory
compilation terminated.
make: *** [HelloWorld.o] Error 1
#

but without success. Anyone knows what sort of development libs we need?


maybe you need this

http://svn.exactcode.de/linux24-psionw/trunk/include/linux/efi.h

_________________
replace .co.cc with .info to get access to stuff I posted in forum
dropbox 2GB free
OpenOffice for Puppy Linux
Back to top
View user's profile Send private message Visit poster's website 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Sun 14 Oct 2012, 16:34    Post subject:  

rcrsn51 wrote:
nooby wrote:
Sad if one buy a new computer for say 500USD only to realise it is impossible to boot Puppy on it


One test you would want to run is here.


Thanks and hopefully it does work
but that Acer G520 is very old machine with Vista on it.
before Ms decided to demand that one can not shut it off?

Did not somebody report on a machine at LinuxQuestions
they failed to get it going on another machine? I am a pessimist.

Much appreciated you linked to that text.

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Mon 15 Oct 2012, 12:08    Post subject:  

Well I figured out I (most probably) need gnu-efi (http://sourceforge.net/projects/gnu-efi/). Now gnu-efi fails to build.

It looks like some sort of makefile error.

Code:

# make
mkdir -p lib
make -C lib -f ./../lib/Makefile SRCDIR=./../lib ARCH=ia32
make[1]: Entering directory `/initrd/mnt/dev_save/Documents/akash/software/boot/gnu-efi/gnu-efi-3.0/lib'
for sdir in ia32 x86_64 ia64 runtime; do mkdir -p $sdir; done
make[1]: *** No rule to make target `boxdraw.o)', needed by `libefi.a'.  Stop.
make[1]: Leaving directory `/initrd/mnt/dev_save/Documents/akash/software/boot/gnu-efi/gnu-efi-3.0/lib'
make: *** [lib] Error 2
#
Back to top
View user's profile Send private message 
pemasu


Joined: 08 Jul 2009
Posts: 5463
Location: Finland

PostPosted: Mon 15 Oct 2012, 14:06    Post subject:  

I test compiled it in debian squeeze based dpup.
Not sure if this stuff has any useful usage, but here it is.....
gnu-efi-0.0.1.tar.gz
Description 
gz

 Download 
Filename  gnu-efi-0.0.1.tar.gz 
Filesize  81.93 KB 
Downloaded  462 Time(s) 
gnu-efi-0.0.1.pet
Description 
pet

 Download 
Filename  gnu-efi-0.0.1.pet 
Filesize  81.99 KB 
Downloaded  445 Time(s) 
Back to top
View user's profile Send private message 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Wed 14 Nov 2012, 13:01    Post subject:  

I switched to precise puppy 540 and now I am able to build gnu-efi. But efitools failed to link. I ended up using pemasu's binary and finally had success with it (thanks pemasu).

I modified the makefiles so that it would build in 32-bit systems. I am attaching the modified sources here as well as the final build. I haven't cleaned the sources as I felt some other files might be useful.

You need sbsigntools (git://kernel.ubuntu.com/jk/sbsigntool) if you want to build it yourself. On precise puppy I also installed vim-common, help2man and liblocale-gettext-perl.

According to readme file Loader.efi is the bootloader. Quoting the relevant portion of readme file:
README wrote:

Loader.efi
==========

This EFI binary is created to boot an unsigned EFI file on the platform. Since
this explicitly breaks the security of the platform, it will first check to
see if the boot binary is naturally executable and execute it if it is (either
it's properly signed or the platform isn't in Secure Boot mode). If the
binary gives an EFI_ACCESS_DENIED error meaning it isn't properly signed,
Loader.efi will request present user authorisation before proceeding to boot.

The idea is that Loader.efi may serve as a chain for elilo.efi or another boot
loader on distributed linux live and install CDs and even as the boot loader
for the distribution on the hard disk assuming the user does not wish to take
control of the platform and replace the keys.

To build a secure bootable CD, simply use Loader.efi as the usual
/efi/boot/bootX64.efi and place the usual loader in the same directory as the
file boot.efi.

In order to add further convenience, if the user places the platform in setup
mode and re-runs the loader, it will ask permission to add the signature the
unsigned boot loader, boot.efi, to the authorised signatures database, meaning
Loader.efi will now no longer ask for present user authorisation every time
the system is started.
efitools_i686.tar.bz2
Description  build
bz2

 Download 
Filename  efitools_i686.tar.bz2 
Filesize  88.2 KB 
Downloaded  460 Time(s) 
efitools_mod_uncleaned_i686.tar.bz2
Description  modified and uncleaned source code
bz2

 Download 
Filename  efitools_mod_uncleaned_i686.tar.bz2 
Filesize  341.25 KB 
Downloaded  366 Time(s) 
Back to top
View user's profile Send private message 
einar

Joined: 12 Nov 2010
Posts: 161

PostPosted: Wed 14 Nov 2012, 15:05    Post subject:  

akash_rawal wrote:
I switched to precise puppy 540 and now I am able to build gnu-efi. But efitools failed to link. I ended up using pemasu's binary and finally had success with it (thanks pemasu).

I modified the makefiles so that it would build in 32-bit systems. I am attaching the modified sources here as well as the final build. I haven't cleaned the sources as I felt some other files might be useful.

You need sbsigntools (git://kernel.ubuntu.com/jk/sbsigntool) if you want to build it yourself. On precise puppy I also installed vim-common, help2man and liblocale-gettext-perl.

According to readme file Loader.efi is the bootloader. Quoting the relevant portion of readme file:
README wrote:

Loader.efi
==========

This EFI binary is created to boot an unsigned EFI file on the platform. Since
this explicitly breaks the security of the platform, it will first check to
see if the boot binary is naturally executable and execute it if it is (either
it's properly signed or the platform isn't in Secure Boot mode). If the
binary gives an EFI_ACCESS_DENIED error meaning it isn't properly signed,
Loader.efi will request present user authorisation before proceeding to boot.

The idea is that Loader.efi may serve as a chain for elilo.efi or another boot
loader on distributed linux live and install CDs and even as the boot loader
for the distribution on the hard disk assuming the user does not wish to take
control of the platform and replace the keys.

To build a secure bootable CD, simply use Loader.efi as the usual
/efi/boot/bootX64.efi and place the usual loader in the same directory as the
file boot.efi.

In order to add further convenience, if the user places the platform in setup
mode and re-runs the loader, it will ask permission to add the signature the
unsigned boot loader, boot.efi, to the authorised signatures database, meaning
Loader.efi will now no longer ask for present user authorisation every time
the system is started.


could this be used to make a bootable flash drive on EFI systems like a Macbook pro ? and if yes. how about a noob guide Wink
Back to top
View user's profile Send private message 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Thu 15 Nov 2012, 04:50    Post subject:  

I myself know nothing about it.

Virtualbox supports efi, so I tried giving it a test run.

At http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
Wikipedia wrote:

Booting

The UEFI specification defines a "boot manager", a firmware policy engine that is in charge of loading the OS loader and all necessary drivers. The boot configuration is controlled by a set of global NVRAM variables, including boot variables that indicate the paths to the loaders.

OS loaders are a class of UEFI applications. As such, they are stored as files on a file system that can be accessed by the firmware. Supported file systems include FAT32, FAT16 and FAT12. Supported partition table schemes include MBR and GPT. UEFI does not rely on a boot sector.

Boot loaders can also be auto-detected by firmware, to enable booting on removable devices. Auto-detection relies on a standardized file path to the OS loader, depending on the actual architecture to boot (\EFI\BOOT\BOOT[architecture name].EFI, e.g. \EFI\BOOT\BOOTx64.EFI).

It is common for UEFI firmware to include a user interface to the boot manager, to allow the user to select and load the operating system among the possible options.

So I fired virtualbox, created a GPT partition table and in it a fat32 partition and copied Loader.efi to /efi/boot/bootx64.efi and then rebooted in efi mode. Virtualbox dropped me into efi shell.

I tried bootx86.efi and bootia32.efi too, but no luck.

Anyone else having success with it?

BTW ideally for testing we need a hypervisor (or even better a real computer) with UEFI secure boot with microsoft certificates only. Laughing
Back to top
View user's profile Send private message 
Moose On The Loose


Joined: 24 Feb 2011
Posts: 513

PostPosted: Thu 15 Nov 2012, 12:37    Post subject: Re: Linux Foundation UEFI Secure Boot System for Open Source
Subject description: how can this be applied to puppy?
 

Dingo wrote:
Today I read that Linux Foundation found the way to bypass the EVIL UEFI

http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source

but, concretely, how can be this applied to Puppy? E.g. if I want to boot my good old BELOVED Cool Puppy 3.01 from live cd on a pc with the EVIL UEFI, I'm constrained to looking for a way to disabling UEFI manually or I can use this workaround in some way?


It may be that the UEFI will be what causes the mass switch away from the "Personal Computer" model to the "Android personal device" model. A lot of people are using an Android or Ipad thing as the only computing platform they have. Crippling the PC, seems like a further push away from the PC model and away from using things like Windows. Microsoft is having the market taken away from them at the bottom by Android device like things.

Since Puppy can be ported onto an ARM, I see this as also a thing that could destroy Intel. Intel is very strong in the x86 market but just an "also ran" in the ARM market. Since a fast ARM can do instruction by instruction sim of the x86, I expect that we will see a program like QEMU on an ARM doing the function of wine.
Back to top
View user's profile Send private message 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Sat 17 Nov 2012, 14:46    Post subject:  

akash_rawal wrote:

So I fired virtualbox, created a GPT partition table and in it a fat32 partition and copied Loader.efi to /efi/boot/bootx64.efi and then rebooted in efi mode. Virtualbox dropped me into efi shell.

I tried bootx86.efi and bootia32.efi too, but no luck.


On closer observation I see some message being flashed on the screen when I used /efi/boot/bootia32.efi. Something like Not a secure boot platform... and after that a couple of lines. The message is flashed only for a couple of milliseconds barely enough to read a few words. So I compiled grub2 for EFI and placed it as /efi/boot/boot.efi but it doesn't start.

However when I place grub2 as /efi/boot/bootia32.efi so as to load it directly, it works.

Grub2 binary: http://dl.dropbox.com/u/58347439/grub2/grub.efi



Maybe my Loader.efi wasn't built properly.
Back to top
View user's profile Send private message 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Sun 18 Nov 2012, 02:55    Post subject:  

Looking at the source code it appears that the filename is loader.efi and not boot.efi.

So I copied grub2 as /loader.efi (not /efi/boot/loader.efi, that didn't work) and rebooted in EFI mode, and finally had success Smile

But we need to test this on a UEFI Restricted Boot enabled system to see whether it really does its job.

So here's the proceedure to setup grub2 on UEFI Secure Boot enabled computer:

  1. Choose a FAT32/FAT16 partition on your drive. If not available create one. (ext and ntfs are not usually supported.)
  2. Mount it and copy grub.efi to the partition as /loader.efi.
  3. Create directory named efi and in it create directory named boot. Then copy Loader.efi (found in efitools_i686.tar.bz2 as /usr/share/efitools/efi/Loader.efi) into it and rename it to bootia32.efi.

And you are done.

Same procedure applies to USB drives and probably optical drives as well.

Then on next boot UEFI will find the bootia32.efi. Whether it gets authorized and boots is another matter Wink

On success you will be landed to grub2 shell.

You can then move forward to writing config file grub.cfg. You have to place grub.cfg as /efi/grub/grub.cfg in same partition where you placed bootia32.efi.
Back to top
View user's profile Send private message 
akash_rawal

Joined: 25 Aug 2010
Posts: 232
Location: ISM Dhanbad, Jharkhand, India

PostPosted: Thu 22 Nov 2012, 11:21    Post subject:  

Attempted to boot slacko puppy in virtualbox UEFI, video not working.



But it does boot, as after sometime pressing ctrl+alt+backspace and then typing 'poweroff' blindly does turn it off.

Anyone else able to set it up properly?
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [19 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Taking the Puppy out for a walk » Misc
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1227s ][ Queries: 13 (0.0102s) ][ GZIP on ]