| 1 |
On Tue, 1 Oct 2019 at 16:19, Peter Humphrey <peter@××××××××××××.uk> wrote: |
| 2 |
> |
| 3 |
> On Tuesday, 1 October 2019 15:32:27 BST Mick wrote: |
| 4 |
> > On Tue, 1 Oct 2019 at 13:18, Mick <michaelkintzios@×××××.com> wrote: |
| 5 |
> > > When using Secure Boot the UEFI firmware check the binaries to be |
| 6 |
> > > loaded have been signed by Microsoft. The 'SHA256 verified' message |
| 7 |
> > > indicates the systemd-boot binary is signed using a key which is |
| 8 |
> > > ultimately signed by Microsoft and is contained in the whitelist |
| 9 |
> > > (MokList). If the verification failed I think it would spit something |
| 10 |
> > > back to allow you to enrol a valid hash or key. |
| 11 |
> > |
| 12 |
> > Scratch that - the message itself is a debug message following an |
| 13 |
> > early SHA-256 implementation self-test[1] before the systemd provided |
| 14 |
> > random seed file is loaded. All the Secure Boot signature checks that |
| 15 |
> > follow will utilise the random seed file systemd provides. |
| 16 |
> > |
| 17 |
> > [1] |
| 18 |
> > https://github.com/systemd/systemd/blob/4c858c6fd5d588b30d9851bb576520e74b0 |
| 19 |
> > 41739/src/boot/efi/random-seed.c#L172 |
| 20 |
> |
| 21 |
> Okay, thanks. |
| 22 |
> |
| 23 |
> [I hope I've been clear enough in what follows :) ] |
| 24 |
> |
| 25 |
> Yet another attempt. I've repartitioned the disk without the unformatted |
| 26 |
> partition, as in Neil's usual scheme; deleted all boot entries using |
| 27 |
> efibootmgr; allowed the UEFI BIOS to set itself up again; and run 'bootctl |
| 28 |
> update' to copy the latest kernel into place. |
| 29 |
> |
| 30 |
> Then, bootctl status shows this: |
| 31 |
> Default Boot Loader Entry: |
| 32 |
> title: Gentoo TestSys 4.19.72 (no network) |
| 33 |
> id: 92-testsys-4.19.72.nonet |
| 34 |
> source: /boot/loader/entries/92-testsys-4.19.72.nonet.conf |
| 35 |
> linux: /vmlinuz-4.19.72-gentoo-testsys |
| 36 |
> options: root=/dev/sda4 initrd=/intel-uc.img net.ifnames=0 softlevel=nonetwork |
| 37 |
> |
| 38 |
> That's supposed to be a secondary entry, not the primary, so I tried to set a |
| 39 |
> different default. Man bootctl includes this: |
| 40 |
> set-default ID, set-oneshot ID |
| 41 |
> Sets the default boot loader entry. Takes a single boot loader entry ID |
| 42 |
> string as argument. The set-oneshot command will set the default entry only |
| 43 |
> for the next boot, the set-default will set it persistently for all future |
| 44 |
> boots. |
| 45 |
> |
| 46 |
> bootctl list output includes this entry: |
| 47 |
> title: Gentoo Linux 4.19.72 |
| 48 |
> id: 30-gentoo-4.19.72 |
| 49 |
> source: /boot/loader/entries/30-gentoo-4.19.72.conf |
| 50 |
> linux: /vmlinuz-4.19.72-gentoo |
| 51 |
> options: root=/dev/nvme0n1p4 initrd=/intel-uc.img net.ifnames=0 |
| 52 |
> |
| 53 |
> That's the one I want to set as default, but then: |
| 54 |
> # bootctl set-default 30-gentoo-4.19.72 |
| 55 |
> Failed to update EFI variable: Invalid argument |
| 56 |
> |
| 57 |
> What is this ID supposed to be, if not the ID shown by bootctl list? Oh, and |
| 58 |
> efivars is mounted rw, of course. |
| 59 |
|
| 60 |
I admire your patience! I would have moved on to some other boot |
| 61 |
manager a long time ago. :-) |
| 62 |
|
| 63 |
As I understand it this ID must be the ID bootctl itself reports. |
| 64 |
However, earlier bootctl versions do not have this set-default ID |
| 65 |
subcommand. If you run bootctl with no arguments does it show up? |
| 66 |
|
| 67 |
> Bootctl and efibootmgr seem to operate orthogonally, at least in some |
| 68 |
> respects, which doesn't help me to uderstand what's going on. |
| 69 |
|
| 70 |
If you follow the UEFI spec and store one kernel per EFI/ |
| 71 |
subdirectory, the UEFI firmware will pick them up on its own and the |
| 72 |
efibootmgr will list them. |
| 73 |
|
| 74 |
I would think bootctl will also pick them up and add them in its own menu. |
| 75 |
|
| 76 |
If you use a suitable alphanumeric nomenclature to elevate the |
| 77 |
subdirectory of your kernel of choice, it should be selected as the |
| 78 |
default (hopefully). |
| 79 |
|
| 80 |
Meanwhile, assuming you have set the systemd-boot timeout to a value |
| 81 |
greater than 0, you could try pressing 'd' after you move the cursor |
| 82 |
to the desired kernel image. I think it sets the selected image as a |
| 83 |
default, but I don't have a systemd-boot available to see if it merely |
| 84 |
boots the existing default setting. |
| 85 |
-- |
| 86 |
Regards, |
| 87 |
Mick |
Archives