[lfs-support] EFI, UEFI and LFS--Complicated, Confusing or Can of Worms
beesnees at grm.net
Wed Oct 30 09:17:58 PDT 2013
As a continuation of the quest I started the other day with learning
about GRUB configuration and my system, I have encountered some
*interesting* information that could, as an extension of logic, have an
impact on building LFS.
In trying to discern whether my new HP Envy has UEFI firmware, I've done
some extensive reading in the last couple of days. The first thing of
which I became aware is that many terms in use these days; e.g., BIOS
System, are uses that aren't quite specific to the actual situation.
More precisely, in terms of booting, the question is, "Does the BIOS use
an MBR partition or EFI partition to boot?"
I have learned that in even UEFI firmware there is an "MBR protected"
area at the beginning of the hard drive. This is for backward
compatibility. I have also learned that GRUB can work in "old,"
"hybrid," or "new" firmware environments. This all depends on where
GRUB puts its "stage 2" files. Of course, when GRUB is configured for
"efi," there are no stage 2 files.
The "indicators" that the firmware is UEFI and that an *actual* GPT
partition is in use are that there exist an EFI partition with a FAT32
file system and that the number of primary partitions is not limited to
four. If a person has Windows installed, one can go to disk management
and look at the volumes. If one is, "EFI, healthy" then there is an
actual, not hybrid, GPT partition. If there is no such animal and the
partition table show only "C:\" which is healthy and has the boot flag
set, it is an MBR partition.
I have also learned that the kernel must be configured with the efi
options turned on. I can't remember their specific names right now, but
I'll note and report when I configure my kernel shortly.
Those are all the "complicated or confusing" things. Now to the
possible can of worms.
It's the signing of kernels and boot loaders. At the start, I must say
that the way around this is to turn off "secure boot" in the BIOS
setup. But, then, some folks may not want to do this. If so, they may
have to deal with this signing stuff. Right now, and I repeat, right
now; i.e., currently, GRUB can be used as a bootloader in a secure
environment, if and only if, there is a signed key. Only Ubuntu and
Fedora have those. There is a way to generate personal keys, but I
haven't learned that yet. I'm just hoping that this stuff doesn't
"progress" to the point at which we, LFS builders, will need them. The
war has already started.
Microsoft can "revoke" any firmware certificate it wants "without
notice." It does this through Windows Update. I don't know how far
this will go, but I'm distressed about it. As long as I don't have to
proceed with secure boot, I'm happy.
Anyway, I just wanted to share what I have discovered. This may lead to
posts like, "I did this and it didn't work. The book needs to be
changed." The implementation of LFS, configuring and installing both
the kernel and GRUB can be successful regardless of how the BIOS boots.
There is a learning curve though. And some of GRUB's building and
installing arguments need to be a little different.
More information about the lfs-support