Linux Foundation UEFI Secure Boot System for Open Source

[Dingo]

Today I read that Linux Foundation found the way to bypass the EVIL UEFI

http://www.linuxfoundation.org/news-med ... pen-source

but, concretely, how can be this applied to Puppy? E.g. if I want to boot my good old BELOVED Puppy 3.01 from live cd on a pc with the EVIL UEFI, I'm constrained to looking for a way to disabling UEFI manually or I can use this workaround in some way?

[akash_rawal]

I don't know much about uefi, other than its evil 'restricted boot' which is so much talked about.

Cloned the repository and tried to build it anyways:

Code: Select all

# git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git 
Cloning into efitools...
remote: Counting objects: 321, done.
remote: Compressing objects: 100% (320/320), done.
remote: Total 321 (delta 203), reused 0 (delta 0)
Receiving objects: 100% (321/321), 83.79 KiB | 7 KiB/s, done.
Resolving deltas: 100% (203/203), done.
# cd efitools/
# make
cc -I/initrd/mnt/dev_save/Documents/akash/software/boot/uefi_secure_boot_system/efitools/include/ -I/usr/include/efi -I/usr/include/efi/i686 -I/usr/include/efi/protocol -O2 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -mno-red-zone -fno-stack-protector -DCONFIG_i686 -c HelloWorld.c -o HelloWorld.o
HelloWorld.c:5:17: fatal error: efi.h: No such file or directory
compilation terminated.
make: *** [HelloWorld.o] Error 1
# 

but without success. Anyone knows what sort of development libs we need?

btw I myself don't know what I was doing, I have no idea what I will do with built binaries if I ever succeed, just hoping to learn on the way.

I have no devices to test, I'm hoping to find an emulator again

[nooby]

This blog try to explain options?
http://blog.hansenpartnership.com/linux ... en-source/

Lot of links in it and comments of policy and such.

Re hardware one would need to have lists on what new computers
that have implemented this in ways that makes it hard to frugal install
Puppy on it or even to start up a CD/DVD?

One can not expect the Devs of Puppy to buy each new computer
so we need volunteers that visit friends with brand new computers
and them taking a DVD and USB with frugal Puppy on it and
boot and report what the screen give error message and relate
that to what UEFI version and from which vendor and hardware
company and BIOS used and so on. Sisyphos something

Sad if one buy a new computer for say 500USD only to realise
it is impossible to boot Puppy on it

We have a lot of feedback over here too. UEFI Madness but less structured
http://www.murga-linux.com/puppy/viewtopic.php?t=78695

I have now two old Desktops say 3 years and older and I have
one Laptop from 2005 and one Netbook Asus from 1009?
and two Acer Netbooks from 2010? sp all of these are too old
for to have UEFI on them.

Re hardware to test on
Having 6 computers already with Puppy on them in working conditions
Sure I have the money but not the motivation to throw them on a new one.

I don't feel for buying anything new unless it is ARM USB things
that cost 50 USD or so but they don't have UEFI them are locked to
Android most of the time and that one have HDMI connection
which only my TV set have

[rcrsn51]

Sad if one buy a new computer for say 500USD only to realise it is impossible to boot Puppy on it

One test you would want to run is here.

[Dingo]

I don't know much about uefi, other than its evil 'restricted boot' which is so much talked about.

Cloned the repository and tried to build it anyways:

Code: Select all

# git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git 
Cloning into efitools...
remote: Counting objects: 321, done.
remote: Compressing objects: 100% (320/320), done.
remote: Total 321 (delta 203), reused 0 (delta 0)
Receiving objects: 100% (321/321), 83.79 KiB | 7 KiB/s, done.
Resolving deltas: 100% (203/203), done.
# cd efitools/
# make
cc -I/initrd/mnt/dev_save/Documents/akash/software/boot/uefi_secure_boot_system/efitools/include/ -I/usr/include/efi -I/usr/include/efi/i686 -I/usr/include/efi/protocol -O2 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -mno-red-zone -fno-stack-protector -DCONFIG_i686 -c HelloWorld.c -o HelloWorld.o
HelloWorld.c:5:17: fatal error: efi.h: No such file or directory
compilation terminated.
make: *** [HelloWorld.o] Error 1
# 

but without success. Anyone knows what sort of development libs we need?

maybe you need this

http://svn.exactcode.de/linux24-psionw/ ... inux/efi.h

[nooby]

Sad if one buy a new computer for say 500USD only to realise it is impossible to boot Puppy on it

One test you would want to run is here.

Thanks and hopefully it does work
but that Acer G520 is very old machine with Vista on it.
before Ms decided to demand that one can not shut it off?

Did not somebody report on a machine at LinuxQuestions
they failed to get it going on another machine? I am a pessimist.

Much appreciated you linked to that text.

[akash_rawal]

Well I figured out I (most probably) need gnu-efi (http://sourceforge.net/projects/gnu-efi/). Now gnu-efi fails to build.

It looks like some sort of makefile error.

Code: Select all

# make
mkdir -p lib
make -C lib -f ./../lib/Makefile SRCDIR=./../lib ARCH=ia32
make[1]: Entering directory `/initrd/mnt/dev_save/Documents/akash/software/boot/gnu-efi/gnu-efi-3.0/lib'
for sdir in ia32 x86_64 ia64 runtime; do mkdir -p $sdir; done
make[1]: *** No rule to make target `boxdraw.o)', needed by `libefi.a'.  Stop.
make[1]: Leaving directory `/initrd/mnt/dev_save/Documents/akash/software/boot/gnu-efi/gnu-efi-3.0/lib'
make: *** [lib] Error 2
# 

[pemasu]

I test compiled it in debian squeeze based dpup.
Not sure if this stuff has any useful usage, but here it is.....

[akash_rawal]

I switched to precise puppy 540 and now I am able to build gnu-efi. But efitools failed to link. I ended up using pemasu's binary and finally had success with it (thanks pemasu).

I modified the makefiles so that it would build in 32-bit systems. I am attaching the modified sources here as well as the final build. I haven't cleaned the sources as I felt some other files might be useful.

You need sbsigntools ([url]git://kernel.ubuntu.com/jk/sbsigntool[/url]) if you want to build it yourself. On precise puppy I also installed vim-common, help2man and liblocale-gettext-perl.

According to readme file Loader.efi is the bootloader. Quoting the relevant portion of readme file:

Loader.efi
==========

This EFI binary is created to boot an unsigned EFI file on the platform. Since
this explicitly breaks the security of the platform, it will first check to
see if the boot binary is naturally executable and execute it if it is (either
it's properly signed or the platform isn't in Secure Boot mode). If the
binary gives an EFI_ACCESS_DENIED error meaning it isn't properly signed,
Loader.efi will request present user authorisation before proceeding to boot.

The idea is that Loader.efi may serve as a chain for elilo.efi or another boot
loader on distributed linux live and install CDs and even as the boot loader
for the distribution on the hard disk assuming the user does not wish to take
control of the platform and replace the keys.

To build a secure bootable CD, simply use Loader.efi as the usual
/efi/boot/bootX64.efi and place the usual loader in the same directory as the
file boot.efi.

In order to add further convenience, if the user places the platform in setup
mode and re-runs the loader, it will ask permission to add the signature the
unsigned boot loader, boot.efi, to the authorised signatures database, meaning
Loader.efi will now no longer ask for present user authorisation every time
the system is started.

[einar]

I switched to precise puppy 540 and now I am able to build gnu-efi. But efitools failed to link. I ended up using pemasu's binary and finally had success with it (thanks pemasu).

I modified the makefiles so that it would build in 32-bit systems. I am attaching the modified sources here as well as the final build. I haven't cleaned the sources as I felt some other files might be useful.

You need sbsigntools ([url]git://kernel.ubuntu.com/jk/sbsigntool[/url]) if you want to build it yourself. On precise puppy I also installed vim-common, help2man and liblocale-gettext-perl.

According to readme file Loader.efi is the bootloader. Quoting the relevant portion of readme file:

Loader.efi
==========

This EFI binary is created to boot an unsigned EFI file on the platform. Since
this explicitly breaks the security of the platform, it will first check to
see if the boot binary is naturally executable and execute it if it is (either
it's properly signed or the platform isn't in Secure Boot mode). If the
binary gives an EFI_ACCESS_DENIED error meaning it isn't properly signed,
Loader.efi will request present user authorisation before proceeding to boot.

The idea is that Loader.efi may serve as a chain for elilo.efi or another boot
loader on distributed linux live and install CDs and even as the boot loader
for the distribution on the hard disk assuming the user does not wish to take
control of the platform and replace the keys.

To build a secure bootable CD, simply use Loader.efi as the usual
/efi/boot/bootX64.efi and place the usual loader in the same directory as the
file boot.efi.

In order to add further convenience, if the user places the platform in setup
mode and re-runs the loader, it will ask permission to add the signature the
unsigned boot loader, boot.efi, to the authorised signatures database, meaning
Loader.efi will now no longer ask for present user authorisation every time
the system is started.

could this be used to make a bootable flash drive on EFI systems like a Macbook pro ? and if yes. how about a noob guide

[akash_rawal]

I myself know nothing about it.

Virtualbox supports efi, so I tried giving it a test run.

At http://en.wikipedia.org/wiki/Unified_Ex ... _Interface

Booting

The UEFI specification defines a "boot manager", a firmware policy engine that is in charge of loading the OS loader and all necessary drivers. The boot configuration is controlled by a set of global NVRAM variables, including boot variables that indicate the paths to the loaders.

OS loaders are a class of UEFI applications. As such, they are stored as files on a file system that can be accessed by the firmware. Supported file systems include FAT32, FAT16 and FAT12. Supported partition table schemes include MBR and GPT. UEFI does not rely on a boot sector.

Boot loaders can also be auto-detected by firmware, to enable booting on removable devices. Auto-detection relies on a standardized file path to the OS loader, depending on the actual architecture to boot (\EFI\BOOT\BOOT[architecture name].EFI, e.g. \EFI\BOOT\BOOTx64.EFI).

It is common for UEFI firmware to include a user interface to the boot manager, to allow the user to select and load the operating system among the possible options.

So I fired virtualbox, created a GPT partition table and in it a fat32 partition and copied Loader.efi to /efi/boot/bootx64.efi and then rebooted in efi mode. Virtualbox dropped me into efi shell.

I tried bootx86.efi and bootia32.efi too, but no luck.

Anyone else having success with it?

BTW ideally for testing we need a hypervisor (or even better a real computer) with UEFI secure boot with microsoft certificates only.

[Moose On The Loose]

Today I read that Linux Foundation found the way to bypass the EVIL UEFI

http://www.linuxfoundation.org/news-med ... pen-source

but, concretely, how can be this applied to Puppy? E.g. if I want to boot my good old BELOVED Puppy 3.01 from live cd on a pc with the EVIL UEFI, I'm constrained to looking for a way to disabling UEFI manually or I can use this workaround in some way?

It may be that the UEFI will be what causes the mass switch away from the "Personal Computer" model to the "Android personal device" model. A lot of people are using an Android or Ipad thing as the only computing platform they have. Crippling the PC, seems like a further push away from the PC model and away from using things like Windows. Microsoft is having the market taken away from them at the bottom by Android device like things.

Since Puppy can be ported onto an ARM, I see this as also a thing that could destroy Intel. Intel is very strong in the x86 market but just an "also ran" in the ARM market. Since a fast ARM can do instruction by instruction sim of the x86, I expect that we will see a program like QEMU on an ARM doing the function of wine.

[akash_rawal]

So I fired virtualbox, created a GPT partition table and in it a fat32 partition and copied Loader.efi to /efi/boot/bootx64.efi and then rebooted in efi mode. Virtualbox dropped me into efi shell.

I tried bootx86.efi and bootia32.efi too, but no luck.

On closer observation I see some message being flashed on the screen when I used /efi/boot/bootia32.efi. Something like Not a secure boot platform... and after that a couple of lines. The message is flashed only for a couple of milliseconds barely enough to read a few words. So I compiled grub2 for EFI and placed it as /efi/boot/boot.efi but it doesn't start.

However when I place grub2 as /efi/boot/bootia32.efi so as to load it directly, it works.

Grub2 binary: http://dl.dropbox.com/u/58347439/grub2/grub.efi



Maybe my Loader.efi wasn't built properly.

[akash_rawal]

Looking at the source code it appears that the filename is loader.efi and not boot.efi.

So I copied grub2 as /loader.efi (not /efi/boot/loader.efi, that didn't work) and rebooted in EFI mode, and finally had success

But we need to test this on a UEFI Restricted Boot enabled system to see whether it really does its job.

So here's the proceedure to setup grub2 on UEFI Secure Boot enabled computer:

1. Choose a FAT32/FAT16 partition on your drive. If not available create one. (ext and ntfs are not usually supported.)
2. Mount it and copy grub.efi to the partition as /loader.efi.
3. Create directory named efi and in it create directory named boot. Then copy Loader.efi (found in efitools_i686.tar.bz2 as /usr/share/efitools/efi/Loader.efi) into it and rename it to bootia32.efi.

And you are done.

Same procedure applies to USB drives and probably optical drives as well.

Then on next boot UEFI will find the bootia32.efi. Whether it gets authorized and boots is another matter

On success you will be landed to grub2 shell.

You can then move forward to writing config file grub.cfg. You have to place grub.cfg as /efi/grub/grub.cfg in same partition where you placed bootia32.efi.

[akash_rawal]

Attempted to boot slacko puppy in virtualbox UEFI, video not working.



But it does boot, as after sometime pressing ctrl+alt+backspace and then typing 'poweroff' blindly does turn it off.

Anyone else able to set it up properly?

[einar]

No imput sadly, but hope you get this to work. Its very interesting for the future.

wish you the best of luck

Regards

Einar

[rufwoof]

All 64-bit versions of PCs running Windows with a logo from
the Windows Certification Program will use UEFI

Such PC hardware will be deemed to be OWNED by Microsoft
Windows. You are free to put into your Windows Computers
(WC) whatever you like, providing certified as being safe
and appropriate by Microsoft.

Microsoft have noted that some users have been putting sh*t
in their WC, Microsoft insists such practice desists and expects
users to only flush $$$'s into their WC.

When you buy a PC with the Windows logo you are not actually
buying a PC for yourself, but are buying a WC. Whilst you have
paid for the hardware, Microsoft deem that you do not own that
hardware. This is a convergence with how MIcrosoft software is
deployed.

[8-bit]

I just happen to have a Toshiba Satellite model L555D-S7005 that came new with Windows 7 64bit on it. And it does not have UEFI at all!
Maybe it is an exception to your statement as I also checked the BIOS and there is no sign of UEFI even mentioned in the settings.

I did notice when checking out the latest stable version of Gparted-live that it comes with EFI which I am assuming, maybe wrong is UEFI boot code for booting on a UEFI PC.

[nooby]

That is because it has Win 7 instead win 8 or win 8.1
which are those that should have UEFI But that is only
what I have heard maybe thre are exceptions to that too?