![[BunsenLabs Logo]](/img/bl.svg)
You are not logged in.
- Topics: Active | Unanswered
#21 2019-12-14 09:22:30
- johnraff
- nullglob
- From: Nagoya, Japan
- Registered: 2015-09-09
- Posts: 12,557
- Website
Re: Grub EFI secure-boot boot issues with live-build on Buster
Just a side note from my past experiences with secure-boot, DKMS gets even squirly-er than it already is.
Indeed. Just saw this: https://wiki.debian.org/SecureBoot#Secu … imitations
Using SB activates "lockdown" mode in the Linux kernel. This disables various features that can be used to modify the kernel:
*) Loading kernel modules that are not signed by a trusted key. By default, this will block out-of-tree modules including DKMS-managed drivers.
So users might well want to disable S-B whether our iso supports it or not. But for the few who really need it, it would be worth the effort IMO.
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
#22 2019-12-19 07:58:57
- johnraff
- nullglob
- From: Nagoya, Japan
- Registered: 2015-09-09
- Posts: 12,557
- Website
Re: Grub EFI secure-boot boot issues with live-build on Buster
Well... this just might be OK.
https://drive.google.com/file/d/141fhHv … sp=sharing
sha256sum lith-sb2-amd64.hybrid.iso
750b6e26c509c11e5aa6fafb31f7f8ba63a20844d52268af01ca2e7ba6fd775c
Contents same as the test iso we just released, except that bunsen-os-release wasn't installed till after grub-installer had done its thing, just as for regular Debian. Then the Vendor info got added so that the grub boot menu displays BunsenLabs as usual. The only change in the live system is that it doesn't carry the BL vendor info in /etc/dpkg/origins, but I don't think that will affect live users (fingers crossed).
live-build config here: https://kernel.bunsenlabs.org/BunsenLab … ch/lith-sb
My main machine here is an HP that can have Secure Boot enabled in the machine settings (do we still call that BIOS now?)
So, tests I've just done:
1) Confirm SB is disabled on the machine.
2) Boot the lith-sb2 iso in live mode - no problems.
3) Enable SB. Boot of my regular hard disk grub Helium bootloader fails with a message about missing/unmatching keys (as expected).
4) Plug in the usb stick with lith-sb2 iso again - it boots OK in live mode. 
(But I didn't try to install off the iso.)
5) Disable SB. Confirm that my regular system boots OK again. 
If I had gone to an install I don't know if the Windows 10 sitting in a corner of the hard disk would have been recognized or not (not that I've ever needed to use it). Sorry, but I didn't feel up to taking the risk of borking my system, especially since I'll be away from tomorrow.
Anyway, this iso seems to boot OK on a machine with Secure Boot enabled. The last test, though, is whether the system it installs is also given a pass by SB. Does anyone here have a machine that could be safely used to test that? Or maybe share the iso on the forum and ask for testers?
Last edited by johnraff (2019-12-19 08:04:27)
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
#23 2019-12-20 01:03:18
- hhh
- Gaucho
- From: High in the Custerdome
- Registered: 2015-09-17
- Posts: 16,036
- Website
Re: Grub EFI secure-boot boot issues with live-build on Buster
Share it is our best bet, I think. My old box doesn't have even have Secure Boot.
No, he can't sleep on the floor. What do you think I'm yelling for?!!!
Online
#24 2019-12-26 01:14:10
- cog
- Member
- From: The Southwest
- Registered: 2015-10-27
- Posts: 655
- Website
Re: Grub EFI secure-boot boot issues with live-build on Buster
@john
I tried it on my machine with secure boot enabled. The live session and resulting install were flawless. Great work. I dove into DKMS and it didn't work as we expected.
I then wiped the install and did a regular live session and install on UEFI with secure boot disabled. Worked flawless as well. Looks like we nailed it.
Edit:
As you planned the output of d-i showed bl-release-info being installed after grub-install was run. This setup will be a lot closer and true to the netinstall. It's also nice not having the apt-pin in place giving the user a more vanilla debian install.
As a side note, with this method the EFI loaders are getting installed to "/boot/efi/EFI/debian" like my old work arounds did instead of "/boot/efi/EFI/bunsenlabs". This will work great as long as a user doesn't run "grub-install" post installation.
Also, I didn't try anything with Windows 10 sitting side-by-side BL. I have no idea what result that will produce.
Last edited by johnraff-admin (2022-07-03 04:42:32)
Offline
#25 2020-01-09 08:04:30
- johnraff
- nullglob
- From: Nagoya, Japan
- Registered: 2015-09-09
- Posts: 12,557
- Website
Re: Grub EFI secure-boot boot issues with live-build on Buster
I tried it on my machine with secure boot enabled. The live session and resulting install were flawless.
I then wiped the install and did a regular live session and install on UEFI with secure boot disabled. Worked flawless as well.
Hi cog, many thanks for testing this!
...with this method the EFI loaders are getting installed to "/boot/efi/EFI/debian" like my old work arounds did instead of "/boot/efi/EFI/bunsenlabs". This will work great as long as a user doesn't run "grub-install" post installation.
Yes, that's the only catch. For grub-install to work, users will have to temporarily uninstall bunsen-os-release, so grub is able to recognize the system as Debian (which it is of course). Could we just add this to the Release Notes?
Also, I didn't try anything with Windows 10 sitting side-by-side BL. I have no idea what result that will produce.
Gaah.. that's exactly the situation I have on this machine. It came with W10, but I formatted the disks (SSD + regular HDD) and reinstalled W10 to a small partition of the hard disk before installing BL on the SSD. It works great - though I never use W10, and can't right now think of any reason why I would, I paid for it so am a bit scared of risking messing up the setup. I still have the install media, but reinstalling Windows after Linux is held not to work well, so I could end up having to reinstall everything. So my testing was only the live session.
( OTOH since the grub install process is now vanilla Debian, I would hope any W10 issues would already have been caught by the Debian devs? )
We could incorporate this SB tweak in a beta iso release - also adding a bunch of the upcoming other improvements - and get some user feedback before the final Lithium release?
Last edited by johnraff-admin (2022-07-03 04:43:35)
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
#26 2020-01-09 17:42:29
- cog
- Member
- From: The Southwest
- Registered: 2015-10-27
- Posts: 655
- Website
Re: Grub EFI secure-boot boot issues with live-build on Buster
Yes, that's the only catch. For grub-install to work, users will have to temporarily uninstall bunsen-os-release, so grub is able to recognize the system as Debian (which it is of course). Could we just add this to the Release Notes?
I say yes. Nobody is gonna be running grub-install post-install unless they mess up their UEFI entries or something wierd, in which it'll just be a recovery situation.
( OTOH since the grub install process is now vanilla Debian, I would hope any W10 issues would already have been caught by the Debian devs? )
Yeah, this would probably be a debian installer issue which we don't have much control over anyways.
We could incorporate this SB tweak in a beta iso release - also adding a bunch of the upcoming other improvements - and get some user feedback before the final Lithium release?
I say yes again as for using this in sub-sequent releases. It appears to be the logical path forward.
Offline