Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 12 Nov 2019, 17:21
All times are UTC - 4
 Forum index » Advanced Topics » Cutting edge
FrugalPup v15 & StickPup v15 - Puppy frugal installer.
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 3 of 7 [92 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7 Next
Author Message
bigpup


Joined: 11 Oct 2009
Posts: 12828
Location: S.C. USA

PostPosted: Fri 18 Oct 2019, 23:39    Post subject:  

This computer, I am using to post this, has:
secure boot enabled
legacy boot disabled

Running Bionicpup64 8.0-UEFI

It has two partitions on the internal drive.
a small fat32 formatted partition.
The rest of drive is a large ext4 formatted partition.

The boot files are on the small fat32 partition. (boot partition)
The large ext 4 partition has a frugal install of Bionicpup64 8.0

Used the boot installer part of Frugalpup to install the uefi boot loader.

Note:
The grub.cfg, that is shown in first image, is the one with all the boot information entries.
The other grub.cfg just points to it.

Here are the files on the boot partition.
Screenshot.png
 Description   This is all the boot files on the small partition.
 Filesize   15.17 KB
 Viewed   211 Time(s)

Screenshot.png

Screenshot(1).png
 Description   This is what is in the efi/boot directory
 Filesize   19.04 KB
 Viewed   212 Time(s)

Screenshot(1).png

Screenshot(2).png
 Description   This is what is in the boot/grub directory
 Filesize   13.86 KB
 Viewed   211 Time(s)

Screenshot(2).png


_________________
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
YaPI(any iso installer) http://www.murga-linux.com/puppy/viewtopic.php?t=107601
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12768
Location: Stratford, Ontario

PostPosted: Sat 19 Oct 2019, 03:44    Post subject:  

Thanks, but you never answered the key question.

Quote:
I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.


Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.

And that flash drive would NOT boot on a machine with Secure Boot enabled.
Back to top
View user's profile Send private message 
foxpup


Joined: 29 Jul 2016
Posts: 962
Location: europa near northsea

PostPosted: Sat 19 Oct 2019, 05:18    Post subject:  

rcrsn51 wrote:
Thanks, but you never answered the key question.

Quote:
I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.
I think you need to.
Enrolling a key will not hurt anyway.
I think that installers from major distros that use secure boot enroll their key during installation.
Their bootloader is signed with their key.
I suppose the bootloader from Fatdog is also signed with their key.
Luckily a signed bootloader also boots with secure boot OFF.

The next question you have asked has been on my mind also and it is important.
Quote:
And if I get the machine to boot, do I then need a signed kernel?

Once upon a time I have installed Fedora.
With their bootloader I could boot Puppys but I do not remember if I had secure boot on.
So I will set this up again (I never removed the enrolled fedora key) and report back.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12768
Location: Stratford, Ontario

PostPosted: Sat 19 Oct 2019, 05:34    Post subject:  

Quote:
I think you need to.

On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.

I have set up UEFI flash drives several ways, including burning the ISO with dd. None of them could get past this point. But maybe this problem is specific to the UEFI on my machine.

So I'm asking again - has anyone other than Bigpup got a Puppy to work with Secure Boot ON?
Back to top
View user's profile Send private message 
foxpup


Joined: 29 Jul 2016
Posts: 962
Location: europa near northsea

PostPosted: Sat 19 Oct 2019, 05:36    Post subject:  

rcrsn51 wrote:
Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.
Maybe bootx64.efi is mjg59's shim?
https://mjg59.dreamwidth.org/19448.html
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12768
Location: Stratford, Ontario

PostPosted: Sat 19 Oct 2019, 05:42    Post subject:  

foxpup wrote:
Maybe bootx64.efi is mjg59's shim?

That's what I suspected. Bigpup has done something extra to get Secure Boot support.

Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.

I am waiting for someone to refute this.
Back to top
View user's profile Send private message 
foxpup


Joined: 29 Jul 2016
Posts: 962
Location: europa near northsea

PostPosted: Sat 19 Oct 2019, 05:44    Post subject:  

rcrsn51 wrote:
Quote:
I think you need to.

On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.

You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12768
Location: Stratford, Ontario

PostPosted: Sat 19 Oct 2019, 05:54    Post subject:  

foxpup wrote:
You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.

Here is my bottom line:

To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.
Back to top
View user's profile Send private message 
foxpup


Joined: 29 Jul 2016
Posts: 962
Location: europa near northsea

PostPosted: Sat 19 Oct 2019, 05:57    Post subject:  

rcrsn51 wrote:
Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.
Got to the same conclusion.
Even shim will not change that. "I am waiting for someone to refute this." Wink

Further:
To comply with secure boot we would need to purchase a key from some windows subsidiary
and sign kernel or init or whatever everytime we make another Puppy.

My opinion:
We do not want to go that way!
I don't think there is any security in Secure Boot. In fact, I consider it a case of 'defective by design', vendor lock-in ...
Well, as long as you can disable secure boot, it is not a total vendor lock-in yet.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12768
Location: Stratford, Ontario

PostPosted: Sat 19 Oct 2019, 06:00    Post subject:  

Yet Bigpup claims to have done it.
Back to top
View user's profile Send private message 
foxpup


Joined: 29 Jul 2016
Posts: 962
Location: europa near northsea

PostPosted: Sat 19 Oct 2019, 06:02    Post subject:  

rcrsn51 wrote:
To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.

In general, that is correct.
It is possible there are machines that allow booting unsigned kernels from usb.

Adding a mokmanager in the iso is not a big thing though. Fatdog does that.

The biggest problem is signing the kernel everytime for a new Puppy if you do not have the key/cert to do that.

Last edited by foxpup on Sat 19 Oct 2019, 06:06; edited 1 time in total
Back to top
View user's profile Send private message 
foxpup


Joined: 29 Jul 2016
Posts: 962
Location: europa near northsea

PostPosted: Sat 19 Oct 2019, 06:05    Post subject:  

rcrsn51 wrote:
Yet Bigpup claims to have done it.
There is no standard for EFI. There are countless variations. It is possible it does work in his EFI and not in another.
Back to top
View user's profile Send private message 
rcrsn51


Joined: 05 Sep 2006
Posts: 12768
Location: Stratford, Ontario

PostPosted: Sat 19 Oct 2019, 06:08    Post subject:  

foxpup wrote:
There is no standard for EFI. There are countless variations. It is possible it does work in his EFI and not in another.

But I would have thought that the implementation of Secure Boot WOULD be standard. Maybe not.
Back to top
View user's profile Send private message 
gyro

Joined: 28 Oct 2008
Posts: 1663
Location: Brisbane, Australia

PostPosted: Sat 19 Oct 2019, 09:24    Post subject: frugalpup and SecureBoot  

FrugalPup has never done anything about "SecureBoot".
My assumption has always been that "SecureBoot" would need to be disabled.

But, earlier versions had their .efi code copied from an existing uefi usb stick (maybe clonezilla), and contained both a 'bootx64.efi' and a 'grubx64.efi'.

Recent versions get their .efi code from grub-efi-amd64-bin_2.04-2_i386.deb, a debian package, and contain only 'bootx64.efi'.
This is smaller, simpler to setup, and more appropriate to use. And gives me a way of upgrading to newer versions of grub2.
I'm sure that this version is not signed.

It is possible that the earlier "borrowed" .efi code, may have been signed.
I assumed it was not signed, I never checked. I always have "SecureBoot" disabled, since I still do non-uefi boots with grub4dos.

I "borrowed" the efi code because the efi code available in Puppy had a useless screen before the main boot selection screen, that I found annoying, whereas the "borrowed" code did not.

I intend to continue using the debian .efi code, so FrugalPup/StickPup should continue to require "SecureBoot" to be disabled.

gyro
Back to top
View user's profile Send private message 
gyro

Joined: 28 Oct 2008
Posts: 1663
Location: Brisbane, Australia

PostPosted: Sat 19 Oct 2019, 09:28    Post subject:  

rcrsn51 wrote:
To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.
My attitude also.
gyro
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 3 of 7 [92 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Cutting edge
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0671s ][ Queries: 12 (0.0139s) ][ GZIP on ]