On 8/20/24 12:29, Jeffrey Walton wrote:

On Tue, Aug 20, 2024 at 11:51 AM Nicolas George <[email protected]> wrote:

[...]

EFI files are signed
for Secure Boot, so vendor paths can not be easily adjusted.

Secure boot is a joke when it comes to security, its only “merit” is to >> prevent lusers from installing software with disabled DRM.

Speaking of Secure Boot, this just made my radar: <https://www.schneier.com/blog/archives/2024/07/compromising-the-secure-boot-process.html>.

Jeff

And proves the point, that all this bs is for naught if enough salary is
paid to the right people.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin composed on 2024-08-21 10:54 (UTC+0700):

I was experimenting trying to get 2
entries from the same vendor in the UEFI (firmware) boot menu and found
it tricky and inconvenient.

How so? I found it quite simple to edit /etc/default/grub and replace the default
value of GRUB_DISTRIBUTOR= to some unique string, e.g. "trixie" or "debian12", then update Grub before doing second installation. What else did you find necessary?
--
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin (12024-08-21):

Do you mean 3rd party bootloader (e.g. grub)?

There is nothing “3rd party” about GRUB.

I was responding to "AIUI
UEFI/GPT were designed to support multi-boot".

Yes, and so was I. If you want half a dozen different GRUBs configured
for half a dozen installed distros, it is possible. Completely useless
because:

Custom configuration of grub
(earlier lilo) was possible before UEFI and GPT.

… and more convenient. But it is possible.

Erwan posted directory tree for debian+ubuntu ESP, but it is a case of different vendors. Richard wants 2 variants of Debian (however UEFI may be irrelevant to that machine).

As I said, perfectly possible.

I was experimenting trying to get 2 entries
from the same vendor in the UEFI (firmware) boot menu and found it tricky
and inconvenient.

“Tricky and inconvenient” ≠ “impossible”

--
Nicolas George

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 21 Aug 2024 08:45:05 +0200
Nicolas George <[email protected]> wrote:

Max Nikulin (12024-08-21):

Do you mean 3rd party bootloader (e.g. grub)?

There is nothing “3rd party” about GRUB.

I was responding to
"AIUI
UEFI/GPT were designed to support multi-boot".

Yes, and so was I. If you want half a dozen different GRUBs configured
for half a dozen installed distros, it is possible. Completely useless because:

Custom
configuration of grub
(earlier lilo) was possible before UEFI and GPT.

… and more convenient. But it is possible.

Erwan posted directory tree for debian+ubuntu ESP, but it is a case
of different vendors. Richard wants 2 variants of Debian (however
UEFI may be irrelevant to that machine).

As I said, perfectly possible.

I was experimenting trying to get 2
entries
from the same vendor in the UEFI (firmware) boot menu and found it
tricky and inconvenient.

“Tricky and inconvenient” ≠ “impossible”

No all UEFI firmware is equal. I have an Acer netbook which does not
honour DefaultBoot. When cold booted, it always boots to the Windows
drive and resets that as the default boot. Fortunately, it can be
overridden by a USB stick. It does honour NextBoot, so I have a script
which sets NextBoot to grub on each Linux boot, and I carry a Debian
rescue USB for the odd occasion when I have to use Windows.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin (12024-08-21):

Have I missed something or GRUB_DISTRIBUTOR affects *grub* menu, but not *UEFI* boot menu?

Indeed, it is not just as simple as that.

I still suspect it is a UEFI+SecureBoot design
shortcoming that it is not possible to install the same loader (the same vendor) on the same ESP twice with different configurations.

--bootloader-id=ID
the ID of bootloader. This option is only available on EFI and
Macs.

I it as simple as this.

--
Nicolas George

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin composed on 2024-08-21 23:17 (UTC+0700):

Felix Miata wrote:

Max Nikulin composed on 2024-08-21 10:54 (UTC+0700):

I was experimenting trying to get 2
entries from the same vendor in the UEFI (firmware) boot menu and found
it tricky and inconvenient.

How so? I found it quite simple to edit /etc/default/grub and replace the default
value of GRUB_DISTRIBUTOR= to some unique string, e.g. "trixie" or "debian12",
then update Grub before doing second installation. What else did you find necessary?

Have I missed something or GRUB_DISTRIBUTOR affects *grub* menu, but not *UEFI* boot menu?

Your language as I quoted above I interpreted to mean:

1-you wish 2 entries from same vendor in BBS menu
2-you are not directly or ATM concerned with any Grub menu

Here's how multiboot configuration goes on just one of mine:
# inxi -S
System:
Host: ab85m Kernel: 6.9.7-1-default arch: x86_64 bits: 64
Console: pty pts/0 Distro: openSUSE Tumbleweed 20240820
# mount | grep -i vfat
/dev/sda1 on /boot/efi type vfat (rw,relatime...
# dmidecode | grep -i efi
UEFI is supported
# efibootmgr
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0004,0003,0002
Boot0000* opensusetw HD(1,GPT,<...>,0x800,0xa0000)/File(\EFI\opensusetw\grubx64.efi)
Boot0002* UEFI OS HD(1,GPT,<...>,0x800,0xa0000)/File(\EFI\BOOT\BOOTX64.EFI)
Boot0003* CD/DVD Drive BBS(CDROM,,0x0)0000474f00004e4f7f000000010000004f00440052...
Boot0004* Hard Drive BBS(HD,,0x0)0000474f00004e4f81000000010000004f00540045004...
# grep UTOR /etc/default/grub
GRUB_DISTRIBUTOR="opensusetw"
# tree /boot/efi/
/boot/efi/
├── EFI
│   ├── BOOT
│   │   ├── BOOTX64.EFI
│   │   └── mt74x64.efi
│   └── opensusetw
│   └── grubx64.efi
├── MemTest86.log
├── MemTest86-Report-20200216-223015.html
├── mt74x64.efi
└── mt83x64.efi

4 directories, 7 files
# lsblk -f | grep deb
├─sda7 ext4 1.0 tg1p07stw c9b0...701a 1G 82% /disks/stw ├─sda9 ext4 1.0 tg1p09deb12 87b9...8adc 606.5M 88% /disks/deb12 ├─sda13 ext4 1.0 tg1p13deb13 a5d4...ceb0 2.9G 58% /disks/deb13 ├─sda17 ext4 1.0 tg1p17deb11 5be1...5084 675.4M 87% /disks/deb11 # ls -gG /boot/grub2/custom.cfg
-rwxr-xr-x 1 6796 Aug 5 00:03 /boot/grub2/custom.cfg
#
<system restart>
# inxi -S
System:
Host: ab85m Kernel: 6.9.12-amd64 arch: x86_64 bits: 64
Desktop: TDE (Trinity) v: R14.1.3~[DEVELOPMENT] Distro: Debian GNU/Linux
trixie/sid
# mount | grep -i vfat
# dmidecode | grep -i efi
UEFI is supported
# efibootmgr
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0004,0003,0002
Boot0000* opensusetw HD(1,GPT,<...>,0x800,0xa0000)/File(\EFI\opensusetw\grubx64.efi)
Boot0002* UEFI OS HD(1,GPT,<...>,0x800,0xa0000)/File(\EFI\BOOT\BOOTX64.EFI)
Boot0003* CD/DVD Drive BBS(CDROM,,0x0)0000474f00004e4f7f000000010000004f00440052...
Boot0004* Hard Drive BBS(HD,,0x0)0000474f00004e4f81000000010000004f00540045004...
# grep UTOR /etc/default/grub
grep: /etc/default/grub: No such file or directory
# tree /boot/efi
-bash: tree: command not found
# tree /boot/efi
/boot/efi

0 directories, 0 files
# lsblk -f | egrep 'stw|deb'
├─sda7 ext4 1.0 tg1p07stw c9b0...701a 1G 82% /disks/stw ├─sda9 ext4 1.0 tg1p09deb12 87b9...8adc 606.5M 88% /disks/deb12 ├─sda13 ext4 1.0 tg1p13deb13 a5d4...ceb0 3.6G 49% /
├─sda17 ext4 1.0 tg1p17deb11 5be1...5084 675.4M 87% /disks/deb11 # ls -gG /boot/grub/custom.cfg
ls: cannot access '/boot/grub/custom.cfg': No such file or directory
# ls -gG /disks/stw/boot/grub2/custom.cfg
-rwxr-xr-x 1 6796 Aug 5 00:03 /disks/stw/boot/grub2/custom.cfg
# which update-grub
# dpkg-query -l | grep grub
# parted -l | grep -i ESP
1 1049kB 337MB 336MB fat32 TG1P01 EFI System (ESP) T253X 2295 boot, esp #
My BBS menu contains 4 entries corresponding to output from efibootmgr,
with the highlight on the one beginning "opensusetw", as configured via GRUB_DISTRIBUTOR=.

My custom.cfg is 100% managed by me. Its included stanzas are automatically included along with the entries contained in grub.cfg. By reason of my
having copied /etc/grub.d/41_custom to /etc/grub.d/07_custom, and emptying /etc/grub.d/41_custom, stanzas from custom.cfg precede those from grub.cfg
when Grub's boot menu is onscreen. Management of custom.cfg is trivial, as editing is required only when adding another installation, or some other non-trival changes among installed systems are employed. Stanzas in
custom.cfg all employ symlinks to kernel and initrds.

This is KISS applied to multibooting with UEFI. As with legacy/MBR booting, only one installed bootloader is required to support as many installed GNU/Linux installations as desired. I trust it adequately explains why
above only one directory in /EFI/ on ESP exists. It is orthogonal to use
of GRUB_DISTRIBUTOR= to assign a unique directory name within /EFI/ on ESP.

printf "GRUB_DISTRIBUTOR=%s\n" mydeb \
>/etc/default/grub.d/distributor.cfg
update-grub
grep --count mydeb /boot/grub/grub.cfg
8

Do we know that the update-grub command normally writes to /boot/efi/EFI/,
and NVRAM (optional?)?

So the added option has been applied. However I have not noticed any
effect related to UEFI configuration

efibootmgr -v | grep --count mydeb
0

iconv -f UCS-2 /boot/efi/EFI/debian/BOOTX64.CSV
shimx64.efi,debian,,This is the boot entry for debian

/boot/efi/EFI/debian remained as it was earlier.

My expectations for "UEFI/GPT were designed to support multi-boot" in
the context of discussion of 2 Debian installations are the following:

- It is possible to create either EFI/mydeb or EFI/debian/mydeb on the
ESP partition so that grubx64.efi from this directory may load grub.cfg
from the *same* directory (path relative to the .efi binary). Currently
.cfg path is a compile-time setting (EFI/debian/grubx64.cfg) for the
sake of secure boot.
- boot menu entry with customized name is created (efibootmgr)
- name in BOOTX64.CSV is changed accordingly. This file is used by
fallback fbx64.efi to create EFI boot variable when it is missed during
boot. Currently it is not a configuration file and copied from /usr/lib/shim/BOOTX64.CSV (shim-unsigned).

I have not tried to dispute that it is possible to configure grub for 2 Debian systems. I do not mind that UEFI allows to put boot files for different architectures and (besides removable media EFI/BOOT path) from different vendors. I still suspect it is a UEFI+SecureBoot design
shortcoming that it is not possible to install the same loader (the same vendor) on the same ESP twice with different configurations.

--
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 22 Aug 2024 10:17:58 +0700
Max Nikulin <[email protected]> wrote:

Actually I tried dpkg-reconfigure for grub and shim packages and your message made me thinking that you may correct me and may provide
proper commands to configure *UEFI* boot menu.

efibootmgr

As I mentioned previously, not all UEFI implementations behave properly.

Your firmware probably has a hotkey to run the UEFI boot selector after
power on, but it may not have any editing facilities.

From Windows it's much harder, and requires rebooting into Safe Mode.
In Linux, efibootmgr can be run from chroot from e.g. a Debian
installation medium in rescue mode.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin composed on 2024-08-22 10:17 (UTC+0700):

Felix Miata wrote:

My BBS menu contains 4 entries corresponding to output from efibootmgr,
with the highlight on the one beginning "opensusetw", as configured via
GRUB_DISTRIBUTOR=.

Or it just coincides with the configured value.

/etc/default/grub's GRUB_DISTRIBUTOR=, if not null, /is/ where the configuration
is established. In openSUSE, that default is null, and thus falls back to something somewhere I suppose in /usr/ establishing opensuse as its default. In Debian it is by default whatever `lsb_release -i -s 2> /dev/null || echo Debian`
works out to be, usually "debian" AFAICT, unless it's been changed since last I had such file from a Debian installation. With only one bootloader per PC, lots of
/etc/default/ directories have no grub file in them.

My expectation is that
EFI/opensusetw/grub.cfg is still hardcoded in your grubx64.efi.

Given /boot/grub2/grub.cfg was last written 13 minutes after EFI/opensusetw/grubx64.efi, I do not believe it is in there in this or on any other of my installations:

# ls -gG /boot/efi/EFI/opensusetw/grub.cfg
ls: cannot access '/boot/efi/EFI/opensusetw/grub.cfg': No such file or directory
# ls -gG /boot/efi/EFI/opensusetw/
total 148
-rwxr-xr-x 1 151552 Aug 21 16:08 grubx64.efi
# ls -gG /boot/efi/EFI/*
/boot/efi/EFI/BOOT:
total 1172
-rwxr-xr-x 1 143360 Aug 23 2022 BOOTX64.EFI
-r-xr-xr-x 1 1053552 Jul 26 2017 mt74x64.efi

/boot/efi/EFI/opensusetw:
total 148
-rwxr-xr-x 1 151552 Aug 21 16:08 grubx64.efi
# lsblk -f | egrep -i 'tw|deb|esp'
├─sda1 vfat FAT32 TG1P01ESP ...9-E... 315M 1% /boot/efi ├─sda7 ext4 1.0 tg1p07stw c9b0...701a 1.1G 81% /
├─sda9 ext4 1.0 tg1p09deb12 87b9...8adc 1.5G 76% /disks/deb12 ├─sda13 ext4 1.0 tg1p13deb13 a5d4...ceb0 3.6G 49% /disks/deb13 ├─sda17 ext4 1.0 tg1p17deb11 5be1...5084 765.9M 86% /disks/deb11 # ls -gG /boot/grub2/grub.cfg
-rw------- 1 28238 Aug 21 16:21 /boot/grub2/grub.cfg
#

Do we know that the update-grub command normally writes to /boot/efi/EFI/, >> and NVRAM (optional?)?

Actually I tried dpkg-reconfigure for grub and shim packages and your
message made me thinking that you may correct me and may provide proper commands to configure *UEFI* boot menu.

From my old notes:
<https://bugs.launchpad.net/bugs/1450783>

efibootmgr -c -L "opensusetw" -d /dev/sda1 -l '\EFI\opensusetw\grubx64.efi' here has created a new entry in NVRAM when old was obsolete or deleted. It doesn't
create the opensusetw directory on the ESP. That is written by any process that reads GRUB_DISTRIBUTOR= to determine where to do its writing on the ESP.
--
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin composed on 2024-08-22 22:56 (UTC+0700):

Felix Miata wrote:

# ls -gG/boot/efi/EFI/opensusetw/
total 148
-rwxr-xr-x 1 151552 Aug 21 16:08 grubx64.efi

Am I right that you either do not use Secure Boot or generated a local
key instead of/in addition to Microsoft and SUSE ones?

I'm just finishing up with a distribution upgrade on one of my PCs. I cloned /dev/sda16 to /dev/sda64, updated configuration on /dev/sda64, verified it works
normally, then did the upgrade on the original. My many computers each have lots
of GNU/Linux installations. This particular one includes OS/2. KISS with so many
installations demands I not tangle everything up with secure boot. It's complicated enough without.
--
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin composed on 2024-08-30 23:09 (UTC+0700):

How does grubx64.efi find where grub.cfg is located?

I don't know what doc might report this, but in a file viewer I see a string like
(,gpt7)/boot/grub) embedded in a vast sea of nulls 98% of the way into the file.
--
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)