Note
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Package:Shim"
Jump to navigation
Jump to search
m (→Uncooperative: emerge the mokutil package oops) |
(add paths to more tools that may help flush out uefi secure boot problems further.) |
||
| Line 33: | Line 33: | ||
*load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot. | *load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot. | ||
=== | ===Uncooperative=== | ||
{{warning| | {{warning|untested, LETS TRY IT IT LOOKS FUN! {{=}}D}} | ||
*mokutil looks helpful when uefi secure boot is uncooperative: | |||
{{console|body= | {{console|body= | ||
###i## | ###i## emerge sys-boot/mokutil | ||
}} | }} | ||
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " | |||
- https://wiki.ubuntu.com/UEFI/SecureBoot | |||
these might be needed to get shim running but doubtful. we should be well covered with mokutil. | |||
{{console|body= | {{console|body= | ||
###i## emerge | ###i## emerge app-crypt/sbsigntools app-crypt/efitools | ||
}} | }} | ||
[[Secure_Boot]] has more information. | ==Links== | ||
* [[Secure_Boot]] has more information. | |||
* https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot | |||
* https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/ | |||
===fallback default efi partition=== | |||
{{warning|avoid this if possible}} | |||
{{console|body= | |||
###i## mkdir /boot/EFI/BOOT | |||
###i## cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/ | |||
}} | |||
Revision as of 10:03, December 18, 2020
We have fedora's EFI secure boot shim. Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory.
sys-boot/shim
Homepage: https://apps.fedoraproject.org/packages/shim/ Description: Fedora's signed UEFI shim
root # emerge sys-boot/shim
these files are added to the system:
- /usr/share/shim/BOOTIA32.EFI
- /usr/share/shim/BOOTX64.EFI
- /usr/share/shim/mmia32.efi
- /usr/share/shim/mmx64.efi
root # mkdir /boot/EFI/FUNTOO root # cp /usr/share/shim/* /boot/EFI/FUNTOO/
uefi secure boot
- press the f1 f2 f8 f9 f10 esc or delete to load bios.
- set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit.
- press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu.
- load EFI from file, point to /boot/EFI/FUNTOO/shim
- shim will greet you with access violation warnings.
- fiddle around to get mok manager to load up.
- select add key
- point to /boot/EFI/FUNTOO/grubx86.efi
- press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu.
- load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot.
Uncooperative
Warning
untested, LETS TRY IT IT LOOKS FUN! =D
- mokutil looks helpful when uefi secure boot is uncooperative:
root # emerge sys-boot/mokutil
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " - https://wiki.ubuntu.com/UEFI/SecureBoot
these might be needed to get shim running but doubtful. we should be well covered with mokutil.
root # emerge app-crypt/sbsigntools app-crypt/efitools
Links
- Secure_Boot has more information.
- https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
fallback default efi partition
Warning
avoid this if possible
root # mkdir /boot/EFI/BOOT root # cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/