1 |
On Tuesday, 1 October 2019 15:32:27 BST Mick wrote: |
2 |
> On Tue, 1 Oct 2019 at 13:18, Mick <michaelkintzios@×××××.com> wrote: |
3 |
> > When using Secure Boot the UEFI firmware check the binaries to be |
4 |
> > loaded have been signed by Microsoft. The 'SHA256 verified' message |
5 |
> > indicates the systemd-boot binary is signed using a key which is |
6 |
> > ultimately signed by Microsoft and is contained in the whitelist |
7 |
> > (MokList). If the verification failed I think it would spit something |
8 |
> > back to allow you to enrol a valid hash or key. |
9 |
> |
10 |
> Scratch that - the message itself is a debug message following an |
11 |
> early SHA-256 implementation self-test[1] before the systemd provided |
12 |
> random seed file is loaded. All the Secure Boot signature checks that |
13 |
> follow will utilise the random seed file systemd provides. |
14 |
> |
15 |
> [1] |
16 |
> https://github.com/systemd/systemd/blob/4c858c6fd5d588b30d9851bb576520e74b0 |
17 |
> 41739/src/boot/efi/random-seed.c#L172 |
18 |
|
19 |
Okay, thanks. |
20 |
|
21 |
[I hope I've been clear enough in what follows :) ] |
22 |
|
23 |
Yet another attempt. I've repartitioned the disk without the unformatted |
24 |
partition, as in Neil's usual scheme; deleted all boot entries using |
25 |
efibootmgr; allowed the UEFI BIOS to set itself up again; and run 'bootctl |
26 |
update' to copy the latest kernel into place. |
27 |
|
28 |
Then, bootctl status shows this: |
29 |
Default Boot Loader Entry: |
30 |
title: Gentoo TestSys 4.19.72 (no network) |
31 |
id: 92-testsys-4.19.72.nonet |
32 |
source: /boot/loader/entries/92-testsys-4.19.72.nonet.conf |
33 |
linux: /vmlinuz-4.19.72-gentoo-testsys |
34 |
options: root=/dev/sda4 initrd=/intel-uc.img net.ifnames=0 softlevel=nonetwork |
35 |
|
36 |
That's supposed to be a secondary entry, not the primary, so I tried to set a |
37 |
different default. Man bootctl includes this: |
38 |
set-default ID, set-oneshot ID |
39 |
Sets the default boot loader entry. Takes a single boot loader entry ID |
40 |
string as argument. The set-oneshot command will set the default entry only |
41 |
for the next boot, the set-default will set it persistently for all future |
42 |
boots. |
43 |
|
44 |
bootctl list output includes this entry: |
45 |
title: Gentoo Linux 4.19.72 |
46 |
id: 30-gentoo-4.19.72 |
47 |
source: /boot/loader/entries/30-gentoo-4.19.72.conf |
48 |
linux: /vmlinuz-4.19.72-gentoo |
49 |
options: root=/dev/nvme0n1p4 initrd=/intel-uc.img net.ifnames=0 |
50 |
|
51 |
That's the one I want to set as default, but then: |
52 |
# bootctl set-default 30-gentoo-4.19.72 |
53 |
Failed to update EFI variable: Invalid argument |
54 |
|
55 |
What is this ID supposed to be, if not the ID shown by bootctl list? Oh, and |
56 |
efivars is mounted rw, of course. |
57 |
|
58 |
Bootctl and efibootmgr seem to operate orthogonally, at least in some |
59 |
respects, which doesn't help me to uderstand what's going on. |
60 |
|
61 |
-- |
62 |
Regards, |
63 |
Peter. |