FrugalPup 20 - Puppy frugal installer.

[bigpup]

Just to let you know.
666philb has added the Stickpup program to Bionicpup64 8.0 as an update to Bionicpup64.

From the installed bugfixes update list after running Bionicpup updates.

swapped bootflash 4 stickpup usb installer ... gyro & bigpup

He was testing how Bootflash worked and after I told him about the FrugalPup package.
He tried StickPup to install to USB.

Here is his post in the Bionicpup64 8.0 topic.
http://www.murga-linux.com/puppy/viewto ... 88#1021888

[gyro]

I have uploaded 'frugalpup_12.sfs' to http://www.mediafire.com/folder/rdyc5lgzpeij1/frugalpup.
This update includes support for SSD's, adds "pfix=trim" to the boot entry.
And adds full support for "Minimal Init Overlay v12".

gyro

[gyro]

I have uploaded 'frugalpup_13.sfs' and 'frugalpup_13.pet' to http://www.mediafire.com/folder/rdyc5lgzpeij1/frugalpup.
This update fixes the support for SSD's, adds "pfix=trim" to the boot entry if it finds an SSD as the install partition or the default save partition, not just the install partition.
It also includes some code cleanup, and provides support for "Minimal Init Overlay v13".

gyro

[gyro]

I have uploaded 'frugalpup_15.sfs' to http://www.mediafire.com/folder/rdyc5lgzpeij1/frugalpup.
This version contains updated uefi support with debian 'grubx64.efi' version 2.04.
This results in a "cleaner" '/EFI/boot' directory, but otherwise no noticable difference.
Still does not support booting Puppies stored on f2fs.

gyro

[bigpup]

gyro,

Got any interest in maybe working on this?
http://www.murga-linux.com/puppy/viewtopic.php?t=116824
Maybe making your FrugalPup and StickPup features part of the Puppy Universal Installer.

No one seems to be working on this code anymore.

Maybe blending your fine work and the Universal Installer into one great Puppy installer.

Or maybe we can convince, Puppy version developers, to drop the Puppy Universal Installer and just use FrugalPup as the default installer to put into Puppy.

[foxpup]

Secure boot needs to be enabled.

I cannot confirm this on my laptop lenovo ideapad 510.

I often wondered if frugalpup has something special so it can boot with secure boot enabled.
I finally found some time to try it out.
I does not for me.
I have to disable secure boot.

@bigpup
I wonder if your machine maybe has the security key from canonical.
Maybe from the factory or maybe by installing some debian/ubuntu distro.

To make it perfectly clear:
I do not want secure boot.
I consider secure boot to be a case of drm-encumbered, defective by design.
And it does not ensure security at all.
It allows windows to boot while windows is behaving as malware.

[bigpup]

No two UEFI bios versions seem to be 100% the same.
Computer manufactures can change them to work anyway they want to.
The computer I was talking about needed secure boot enabled
To boot from it's internal emmc drive.
With secure boot disabled, it would not even show as a boot-able drive.
Thus, it needed a fully supportive UEFI boot loader that would work with secure boot enabled.

So far every computer I have disabled secure boot in the UEFI bios.
Seems to have no problem booting with good old Grub4dos boot loader, which is not a UEFI supportive boot loader.
That is if the UEFI bios will still see the drive as a boot device.

Some UEFI bios computers, will not see external drives as boot-able devices, when secure boot is enabled.
USB drives
CD/DVD drives
It still sees them as data storage drives, but they never show up as a drive to boot from.
Again, depends on the manufactures setup of the UEFI bios.

The computer I used Frugalpup on, required this, to be able to boot from a USB flash drive.

[rcrsn51]

Just out of curiosity: If this method will boot a Puppy while secure boot is ON, how does Puppy supply valid keys?

Are they somewhere in the Puppy ISO?

I have been setting up UEFI boots with a bootx64.efi that I think originally came from JamesBond. Is it actually capable of booting when Secure Boot is ON?

Are these steps needed to make it work?

And if I get the machine to boot, do I then need a signed kernel?

I'd like some guidance before I screw up a machine trying.

--------------------

[step]

I have been setting up UEFI boots with a bootx64.efi that I think originally came from JamesBond. Is it actually capable of booting when Secure Boot is ON?

Are these steps needed to make it work?

The Fatdog64 UEFI installer in Control Panel > Utilites provides bootx64.efi and several other files that should enable the steps you linked. I haven't actually tested secure boot - I don't have the right hardware - but I can see that the installer adds a MOK manager, and a keys folder with many vendor certs inside, plus the Fatdog64.cer file. But I can't see puppy certs in that folder.

[rcrsn51]

But I can't see puppy certs in that folder.

I wouldn't expect there to be.

I am looking for someone who has booted a Puppy like bionicpup64-8.0-uefi.iso on a UEFI machine with Secure Boot ON.

Meaning that it was NOT reverted to Legacy (CSM) mode.

I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.

[bigpup]

This computer, I am using to post this, has:
secure boot enabled
legacy boot disabled

Running Bionicpup64 8.0-UEFI

It has two partitions on the internal drive.
a small fat32 formatted partition.
The rest of drive is a large ext4 formatted partition.

The boot files are on the small fat32 partition. (boot partition)
The large ext 4 partition has a frugal install of Bionicpup64 8.0

Used the boot installer part of Frugalpup to install the uefi boot loader.

Note:
The grub.cfg, that is shown in first image, is the one with all the boot information entries.
The other grub.cfg just points to it.

Here are the files on the boot partition.

[rcrsn51]

Thanks, but you never answered the key question.

I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.

Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.

And that flash drive would NOT boot on a machine with Secure Boot enabled.

[foxpup]

Thanks, but you never answered the key question.

I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.

I think you need to.
Enrolling a key will not hurt anyway.
I think that installers from major distros that use secure boot enroll their key during installation.
Their bootloader is signed with their key.
I suppose the bootloader from Fatdog is also signed with their key.
Luckily a signed bootloader also boots with secure boot OFF.

The next question you have asked has been on my mind also and it is important.

And if I get the machine to boot, do I then need a signed kernel?

Once upon a time I have installed Fedora.
With their bootloader I could boot Puppys but I do not remember if I had secure boot on.
So I will set this up again (I never removed the enrolled fedora key) and report back.

[rcrsn51]

I think you need to.

On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.

I have set up UEFI flash drives several ways, including burning the ISO with dd. None of them could get past this point. But maybe this problem is specific to the UEFI on my machine.

So I'm asking again - has anyone other than Bigpup got a Puppy to work with Secure Boot ON?

[foxpup]

Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.

Maybe bootx64.efi is mjg59's shim?
https://mjg59.dreamwidth.org/19448.html

[rcrsn51]

Maybe bootx64.efi is mjg59's shim?

That's what I suspected. Bigpup has done something extra to get Secure Boot support.

Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.

I am waiting for someone to refute this.

[foxpup]

I think you need to.

On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.

You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.

[rcrsn51]

You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.

Here is my bottom line:

To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.

[foxpup]

Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.

Got to the same conclusion.
Even shim will not change that. "I am waiting for someone to refute this."

Further:
To comply with secure boot we would need to purchase a key from some windows subsidiary
and sign kernel or init or whatever everytime we make another Puppy.

My opinion:
We do not want to go that way!
I don't think there is any security in Secure Boot. In fact, I consider it a case of 'defective by design', vendor lock-in ...
Well, as long as you can disable secure boot, it is not a total vendor lock-in yet.

[rcrsn51]

Yet Bigpup claims to have done it.