Announcement

Collapse
No announcement yet.

UEFI On Linux Is Like A Pathogen

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    So you think that uefi with grub 2 is so bad? acritox managed to create even grub2 hybrid images which boot on standard pc and have got a special mac partition as well. Look there:

    http://kanotix.acritox.com

    Just do never try to name the partition used for efi as EFI, that will fail...

    Comment


    • #32
      Yes. Yes it is. I'm not sure why you think that's anything particularly revolutionary, Fedora can build live images with the same capabilities.

      Comment


      • #33
        Well they add one extra feature: you can enable persitent mode on a hybrid live image. That trick requires some patching of libparted however because it does not really like to parse that kind of mac partition table first.

        Comment


        • #34
          A tool is as good or evil as the way it is used (Remember mr. A. Nobel??)

          (Just to light up an old thread and throw some kerosene on the fire...)

          Any tool can be used and changed for good or evil, it depends entirely on the user.

          "First they came for the BIOS,
          and I didn't speak out, because I can still boot my OS.[1]
          Then they came with Secure boot,
          and I didn't speak out, because I don't use unsigned device drivers.[2]
          Then they came with Secure boot Next Generation,
          and I didn't speak out, because I don't use pirated or 'alternative' OSes.[3]
          Then they came for me,
          and there wasn't anyone left to speak out for me.[4]"

          [1]: Yeah, Linux can boot fine from UEFI, so let's lean back and relax.
          [2]: Well, Fedora has a signing key, so if you really wanna Linux, just use 'The Hat', then. Anyway, I can still disable Secure boot, so why should I care?
          [3]: Who would want to run Linux, anyway? Windows rulezz!
          [4]: Ow Sh*t, now my friends can't voice their dissent on the intarwebs, 'cause that's all being automatically muffled and/or reported to Big Brother by the Gov't-mandated FSG (Free Speech Gagging) monitoring and filtering tools mandatorily installed on their computers. Damn!

          /sarcasm off
          Last edited by ack006; 20 June 2012, 07:26 PM.

          Comment


          • #35
            Do you have got a system with uefi support? I have got 2 now and i really like it, you can get rid of grub, now i even know that you can boot with an initrd - you can specify that via efibootmgr like this:
            Code:
            efibootmgr -c -d /dev/md126 -p 1 -l '\EFI\KANOTIX\linux.efi' -L 'Kanotix 64 GFX' -u 'initrd=EFI\KANOTIX\initrd.img root=/dev/md126p4 rw gfx=on quiet splash'
            As you see this example is not just using a single drive but an intel raid (raid 0 with 2x200 gb for testing) via mdadm and it works. With kernel 3.5 there is a problem that you can not use rdev anymore to force the root partition. So the minimal entry without initrd (you can not use uuid without) is now like this:
            Code:
            efibootmgr -c -d /dev/sda -p 3 -l '\EFI\KANOTIX\linux.efi' -L 'Kanotix 64 Pure' -u 'root=/dev/sda2'
            Of course you can use grub 2 too, but i experienced problems with grub 1.99, which is still in debian. It was not possible to install grub 1.99 onto my raid0. Then i compiled grub2 bzr (will be grub 2.00 later) and it worked, but basically you dont need grub at all. You can directly copy a kernel with efi stub support and if needed an initrd to a primary fat partition (if you use mbr) or just any fat partition (if you use gpt) and use efibootmgr to add a menu entry for the integrated boot selection menu in the uefi setup. This is a very tricky way to get dual boot when you have got a win 7/8 uefi install onto the same hd. You can of course reuse the efi partition which is already there, but it is pretty small if win 7 was installed. I had size problems when i compiled a custom kernel until i disabled debugging, the partition is only 100 mb in that case.

            Of course using uefi to boot does not enhance security - you can not change boot options until you change the boot manager entry but you can often run the efishell even from external usb storage devices - for debugging i would even add it to the efi partition. The fat partition is certainly unprotected as it can not be encrypted. Basically even if it would be possible to use secure booting for Linux i do not think it will enhance security at all. Not even for win (until you use encryption maybe) - when you think about it it will be clear. You can at least boot official ms boot media with win8, but that allows you to use a console (shift-f10). A console is enough to manipulate files on the hd and therefore you could change whatever you like or just copy what you want without removing the hd from the system (and without any valid login). I dont think that it matters if the live media used is Linux or win based...
            Last edited by Kano; 20 June 2012, 08:18 PM.

            Comment


            • #36
              Originally posted by Kano View Post
              Do you have got a system with uefi support? I have got 2 now and i really like it, you can get rid of grub, now i even know that you can boot with an initrd - you can specify that via efibootmgr like this:
              Code:
              efibootmgr -c -d /dev/md126 -p 1 -l '\EFI\KANOTIX\linux.efi' -L 'Kanotix 64 GFX' -u 'initrd=EFI\KANOTIX\initrd.img root=/dev/md126p4 rw gfx=on quiet splash'
              As you see this example is not just using a single drive but an intel raid (raid 0 with 2x200 gb for testing) via mdadm and it works. With kernel 3.5 there is a problem that you can not use rdev anymore to force the root partition. So the minimal entry without initrd (you can not use uuid without) is now like this:
              Code:
              efibootmgr -c -d /dev/sda -p 3 -l '\EFI\KANOTIX\linux.efi' -L 'Kanotix 64 Pure' -u 'root=/dev/sda2'
              Of course you can use grub 2 too, but i experienced problems with grub 1.99, which is still in debian. It was not possible to install grub 1.99 onto my raid0. Then i compiled grub2 bzr (will be grub 2.00 later) and it worked, but basically you dont need grub at all. You can directly copy a kernel with efi stub support and if needed an initrd to a primary fat partition (if you use mbr) or just any fat partition (if you use gpt) and use efibootmgr to add a menu entry for the integrated boot selection menu in the uefi setup. This is a very tricky way to get dual boot when you have got a win 7/8 uefi install onto the same hd. You can of course reuse the efi partition which is already there, but it is pretty small if win 7 was installed. I had size problems when i compiled a custom kernel until i disabled debugging, the partition is only 100 mb in that case.

              Of course using uefi to boot does not enhance security - you can not change boot options until you change the boot manager entry but you can often run the efishell even from external usb storage devices - for debugging i would even add it to the efi partition. The fat partition is certainly unprotected as it can not be encrypted. Basically even if it would be possible to use secure booting for Linux i do not think it will enhance security at all. Not even for win (until you use encryption maybe) - when you think about it it will be clear. You can at least boot official ms boot media with win8, but that allows you to use a console (shift-f10). A console is enough to manipulate files on the hd and therefore you could change whatever you like or just copy what you want without removing the hd from the system (and without any valid login). I dont think that it matters if the live media used is Linux or win based...

              Wow, cool! I've learned some stuff about EFI, not this much though. So thanks very much!

              I think part of the frustration some people have with EFI stems from stupid design of the control of EFI vs legacy BIOS in some mainboards.

              Example: I have an ASUS miniITX socket 1155 board with UEFI and a legacy BIOS mode, and I have an ASUS uATX socket 2011 board with UEFI and a legacy BIOS mode.

              On the miniITX board if I set the boot to be a UEFI device then the board retains that setting - when I was learning about dual booting Lin+Win using UEFI on that board I made lots of mistakes and got lots of bad installs and boot fails but the board stayed in UEFI mode.

              With the socket 2011 board if set to BIOS boot, and boot fails then it flips to UEFI mode. *Silently flips to UEFI mode!* Under some circumstances if a UEFI boot fails it flips to BIOS mode, under other circumstances it does not flip. So each successive OS installer would think the disk had a GPT table but was BIOS booted, or the opposite, or had a GPT table with missing fake-FAT table, or might be perfectly happy! Further, the way to tell it to operate in BIOS mode is very very obscure: the manual does not call it "Legacy BIOS mode", but some euphemism, and in the firmware screens the legacy BIOS mode is named using a different euphemism. It's firmware behaves as if it contains a random-number based BIOS to/from UEFI mode flipper. Ultimately I figured out how to BIOS boot the thing and I use GRUB on the MBR. Life is great.

              The socket 2011 board is a high end board, expensive, and I know a thing or two about dual booting on UEFI, but it was unworkable in UEFI mode.

              I've only used two UEFI boards so far. If there are only 10 percent of boards that act like my second, schizophrenic, board - well that's enough to give UEFI a bad name through the grapevine.

              Comment


              • #37
                Maybe you think too complicated. If you only want to boot in bios mode without a raid setup you could even force grub installed in the protective mbr (of a gpt disk). That's not the nice way and requires an override switch but it would work. Then a disk was used in gpt mode and you want to use mbr mode you should know that some tools still detect gpt as it is stored twice, at the beginning and the end of the disk and give out a warning. if you use an ssd the fastest way is to use secure erase to destroy all data. I only installed kanotix and no other distribution but as grub 1.99 has got serious issues in my testcase (ok raid is not that simple) i just added the bootcode manually later. Best: do NOT rely on os installers. I guess i know your mistake. You partitioned your disk in gpt mode and booted your os (which might have got efi support) in mbr mode. That leads to the use of grub in bios mode, but as i wrote first that would require a force mode to install and that usually fails. Basically it is simple to boot a boot media in efi mode, you use quick boot selection and select the one with UEFI: prefix. kanotix has got no automatic grub-efi installer support, therefore i prefer the manual way

                Comment

                Working...
                X