Re: Replacement for search_fsuuid in grub-signed for UEFI Secure Boot

[Andrei Borzenkov]

05.12.2015 10:01, Mat Troi пишет:
> On Fri, Dec 4, 2015 at 10:23 PM, Andrei Borzenkov <address@hidden>
> wrote:
> 
>> 05.12.2015 06:25, Mat Troi пишет:
>>> Hi,
>>>
>>> Sorry if the info I gave is vague, I am trying to learn how would Secure
>>> Boot work with GRUB2.  I am not sure how much information is appropriate,
>>> but here goes:
>>>
>>> On my EFI installed system, grub is built with embedded load.cfg,
>> load.cfg
>>> has the following content:
>>> search.fs_uuid 123f09d21237f123 root
>>> set prefix=($root)/boot/grub/efi
>>>
>>> From what I read in the manual, this will set up the root and prefix
>> during
>>> booting.
>>>
>>> So for Secure Boot, I need to make a signed GRUB2.  The signed GRUB2
>> needs
>>> to be generic because it is only signed once in production.
>>
>> If you will sign it yourself, what prevents you from signing it every time?
>>
> Because it is only signed one time on a special server and then that one
> copy will be given out to users.  It would be a lot of work to have to sign
> every copy of GRUB2 every time.
> 
>>
>>>  So this means
>>> I cannot embed a configuration file with UUID number as the UUID changes
>>> per system installation.
>>>
>>
>> Distributions solve it by making signed image to use config file in the
>> same directory image was loaded from; this config file can then be
>> changed for each system as it is not part of image itself.
>>
> I am confused.  So do you mean distributions make an image without the
> config file, sign the image, then place it in the same directory as the
> config file?  If so, how to tell the image to use the config file in the
> same directory?
> 

Did you try to look at Fedora, Debian, Ubuntu, openSUSE how they create
it? Or do you have specific reasons to reinvent the wheel? :)

But anyway, in EFI loaded image can ask firmware about path it was
loaded from. If GRUB prefix is empty at startup, it will be set to this
path. Otherwise it will be available as $cmdpath variable.

>>> You mention "unique name".  Is there anyway I can create the name myself?
>>
>> `touch' command comes in mind :)
>>
> Duh, I mis-read your comment ;)  So if I create a unique file, how do I
> search for it?  Can I name it myself or grub will name it?
> 

search --file

>>
>>> How to hardcode partition number?
>>>
>>
>> Set prefix to something like
>>
>> (,gpt15)/boot/grub
>>
> Silly question - do I have to have the (,gpt15)?  Can I just set prefix to
> "/boot/grub"?
> 

In this case disk part will be set to partition GRUB was loaded from.
Sorry, now I have to ask - do you know how EFI boot works?

>>
>> Disk part will be filled at run time with disk name GRUB was booted from
>> (i.e. where ESP is located) resulting in e.g.
>>
>> (hd2,gpt15)/boot/grub
>>
>> Of course it works only if ESP is located on the same disk as GRUB
>> prefix. Or you can simply install full grub on ESP and always have it
>> available.
>>
> I did not know there is full grub and partial grub.  What is the different
> and how to tell what I currently have on my system?


Sorry, where have I wrote anything about "full" or "partial" GRUB?

> 
> Thanks.
> 
>>
>>> Thanks,
>>> Mat
>>>
>>> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden>
>> wrote:
>>>
>>>> On Fri, Dec 4, 2015 at 7:27 AM, Mat Troi <address@hidden> wrote:
>>>>> I am building the signed grub myself.  I guess the question is how to
>>>> search
>>>>> for the root device without using uuid?  I tried search.fs_label grub
>>>> root
>>>>> and the system returns error: no such device: grub.
>>>>>
>>>>
>>>> Well, you can find only what is available. As you do not provide any
>>>> information about your environment and configuration I can only guess
>>>> that no filesystem accessible to GRUB has label "grub".
>>>>
>>>> If not UUID, you can search by label or can search for specific file
>>>> name. That is what grub-install does anyway if UUIDs are not reliable
>>>> - it creates file with unique name and searches for it.
>>>>
>>>> Or you can simply hardcode partition number.
>>>>
>>>> But I guess all  above was already known, in which case you are better
>>>> ask real question you want to know :)
>>>>
>>>>>
>>>>> On Thursday, December 3, 2015, Andrei Borzenkov <address@hidden>
>>>> wrote:
>>>>>>
>>>>>> 03.12.2015 22:59, Mat Troi пишет:
>>>>>>> Hi,
>>>>>>>
>>>>>>> If using sign grub for Secure Boot, I cannot use search_fsuuid in the
>>>>>>> configuration for grub as the uuid is different.  Is there a way to
>>>>>>> write a
>>>>>>> configuration that will let me find the current UEFI boot and set
>> that
>>>>>>> as
>>>>>>> root?  Or is there a way to set root not using search_fsuuid?
>>>>>>>
>>>>>>
>>>>>> It is really the question to your distribution - what it put into
>> signed
>>>>>> GRUB image. But those distributions I am aware of include `search'
>>>>>> command ...
>>>>
>>>
>>
>>
>