[lfs-support] EFI, UEFI and LFS--Complicated, Confusing or Can of Worms

Dan McGhee beesnees at grm.net
Wed Oct 30 09:17:58 PDT 2013

As a continuation of the quest I started the other day with learning 
about GRUB configuration and my system, I have encountered some 
*interesting* information that could, as an extension of logic, have an 
impact on building LFS.

In trying to discern whether my new HP Envy has UEFI firmware, I've done 
some extensive reading in the last couple of days.  The first thing of 
which I became aware is that many terms in use these days; e.g., BIOS 
System, are uses that aren't quite specific to the actual situation.  
More precisely, in terms of booting, the question is, "Does the BIOS use 
an MBR partition or EFI partition to boot?"

I have learned that in even UEFI firmware there is an "MBR protected" 
area at the beginning of the hard drive.  This is for backward 
compatibility.  I have also learned that GRUB can work in "old," 
"hybrid," or "new" firmware environments.  This all depends on where 
GRUB puts its "stage 2" files.  Of course, when GRUB is configured for 
"efi," there are no stage 2 files.

The "indicators" that the firmware is UEFI and that an *actual* GPT 
partition is in use are that there exist an EFI partition with a FAT32 
file system and that the number of primary partitions is not limited to 
four.  If a person has Windows installed, one can go to disk management 
and look at the volumes.  If one is, "EFI, healthy" then there is an 
actual, not hybrid, GPT partition.  If there is no such animal and the 
partition table show only "C:\" which is healthy and has the boot flag 
set, it is an MBR partition.

I have also learned that the kernel must be configured with the efi 
options turned on.  I can't remember their specific names right now, but 
I'll note and report when I configure my kernel shortly.

Those are all the "complicated or confusing" things.  Now to the 
possible can of worms.

It's the signing of kernels and boot loaders.  At the start, I must say 
that the way around this is to turn off "secure boot" in the BIOS 
setup.  But, then, some folks may not want to do this.  If so, they may 
have to deal with this signing stuff.  Right now, and I repeat, right 
now; i.e., currently, GRUB can be used as a bootloader in a secure 
environment, if and only if, there is a signed key. Only Ubuntu and 
Fedora have those.  There is a way to generate personal keys, but I 
haven't learned that yet.  I'm just hoping that this stuff doesn't 
"progress" to the point at which we, LFS builders, will need them.  The 
war has already started.

Microsoft can "revoke" any firmware certificate it wants "without 
notice."  It does this through Windows Update.  I don't know how far 
this will go, but I'm distressed about it.  As long as I don't have to 
proceed with secure boot, I'm happy.

Anyway, I just wanted to share what I have discovered.  This may lead to 
posts like, "I did this and it didn't work.  The book needs to be 
changed."  The implementation of LFS, configuring and installing both 
the kernel and GRUB can be successful regardless of how the BIOS boots.  
There is a learning curve though. And some of GRUB's building and 
installing arguments need to be a little different.


More information about the lfs-support mailing list