FrugalPup 20 - Puppy frugal installer.
This computer, I am using to post this, has:
secure boot enabled
legacy boot disabled
Running Bionicpup64 8.0-UEFI
It has two partitions on the internal drive.
a small fat32 formatted partition.
The rest of drive is a large ext4 formatted partition.
The boot files are on the small fat32 partition. (boot partition)
The large ext 4 partition has a frugal install of Bionicpup64 8.0
Used the boot installer part of Frugalpup to install the uefi boot loader.
Note:
The grub.cfg, that is shown in first image, is the one with all the boot information entries.
The other grub.cfg just points to it.
Here are the files on the boot partition.
secure boot enabled
legacy boot disabled
Running Bionicpup64 8.0-UEFI
It has two partitions on the internal drive.
a small fat32 formatted partition.
The rest of drive is a large ext4 formatted partition.
The boot files are on the small fat32 partition. (boot partition)
The large ext 4 partition has a frugal install of Bionicpup64 8.0
Used the boot installer part of Frugalpup to install the uefi boot loader.
Note:
The grub.cfg, that is shown in first image, is the one with all the boot information entries.
The other grub.cfg just points to it.
Here are the files on the boot partition.
- Attachments
-
- Screenshot.png
- This is all the boot files on the small partition.
- (15.17 KiB) Downloaded 382 times
-
- Screenshot(1).png
- This is what is in the efi/boot directory
- (19.04 KiB) Downloaded 377 times
-
- Screenshot(2).png
- This is what is in the boot/grub directory
- (13.86 KiB) Downloaded 380 times
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
Thanks, but you never answered the key question.
And that flash drive would NOT boot on a machine with Secure Boot enabled.
Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.
And that flash drive would NOT boot on a machine with Secure Boot enabled.
I think you need to.rcrsn51 wrote:Thanks, but you never answered the key question.
I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.
Enrolling a key will not hurt anyway.
I think that installers from major distros that use secure boot enroll their key during installation.
Their bootloader is signed with their key.
I suppose the bootloader from Fatdog is also signed with their key.
Luckily a signed bootloader also boots with secure boot OFF.
The next question you have asked has been on my mind also and it is important.
Once upon a time I have installed Fedora.And if I get the machine to boot, do I then need a signed kernel?
With their bootloader I could boot Puppys but I do not remember if I had secure boot on.
So I will set this up again (I never removed the enrolled fedora key) and report back.
On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.I think you need to.
I have set up UEFI flash drives several ways, including burning the ISO with dd. None of them could get past this point. But maybe this problem is specific to the UEFI on my machine.
So I'm asking again - has anyone other than Bigpup got a Puppy to work with Secure Boot ON?
Maybe bootx64.efi is mjg59's shim?rcrsn51 wrote:Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.
https://mjg59.dreamwidth.org/19448.html
You need a mokmanager. That is another efi binary.rcrsn51 wrote:On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.I think you need to.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.
Here is my bottom line:foxpup wrote:You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.
To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.
Got to the same conclusion.rcrsn51 wrote:Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.
Even shim will not change that. "I am waiting for someone to refute this."
Further:
To comply with secure boot we would need to purchase a key from some windows subsidiary
and sign kernel or init or whatever everytime we make another Puppy.
My opinion:
We do not want to go that way!
I don't think there is any security in Secure Boot. In fact, I consider it a case of 'defective by design', vendor lock-in ...
Well, as long as you can disable secure boot, it is not a total vendor lock-in yet.
In general, that is correct.rcrsn51 wrote:To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.
It is possible there are machines that allow booting unsigned kernels from usb.
Adding a mokmanager in the iso is not a big thing though. Fatdog does that.
The biggest problem is signing the kernel everytime for a new Puppy if you do not have the key/cert to do that.
Last edited by foxpup on Sat 19 Oct 2019, 10:06, edited 1 time in total.
frugalpup and SecureBoot
FrugalPup has never done anything about "SecureBoot".
My assumption has always been that "SecureBoot" would need to be disabled.
But, earlier versions had their .efi code copied from an existing uefi usb stick (maybe clonezilla), and contained both a 'bootx64.efi' and a 'grubx64.efi'.
Recent versions get their .efi code from grub-efi-amd64-bin_2.04-2_i386.deb, a debian package, and contain only 'bootx64.efi'.
This is smaller, simpler to setup, and more appropriate to use. And gives me a way of upgrading to newer versions of grub2.
I'm sure that this version is not signed.
It is possible that the earlier "borrowed" .efi code, may have been signed.
I assumed it was not signed, I never checked. I always have "SecureBoot" disabled, since I still do non-uefi boots with grub4dos.
I "borrowed" the efi code because the efi code available in Puppy had a useless screen before the main boot selection screen, that I found annoying, whereas the "borrowed" code did not.
I intend to continue using the debian .efi code, so FrugalPup/StickPup should continue to require "SecureBoot" to be disabled.
gyro
My assumption has always been that "SecureBoot" would need to be disabled.
But, earlier versions had their .efi code copied from an existing uefi usb stick (maybe clonezilla), and contained both a 'bootx64.efi' and a 'grubx64.efi'.
Recent versions get their .efi code from grub-efi-amd64-bin_2.04-2_i386.deb, a debian package, and contain only 'bootx64.efi'.
This is smaller, simpler to setup, and more appropriate to use. And gives me a way of upgrading to newer versions of grub2.
I'm sure that this version is not signed.
It is possible that the earlier "borrowed" .efi code, may have been signed.
I assumed it was not signed, I never checked. I always have "SecureBoot" disabled, since I still do non-uefi boots with grub4dos.
I "borrowed" the efi code because the efi code available in Puppy had a useless screen before the main boot selection screen, that I found annoying, whereas the "borrowed" code did not.
I intend to continue using the debian .efi code, so FrugalPup/StickPup should continue to require "SecureBoot" to be disabled.
gyro
My attitude also.rcrsn51 wrote:To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.
gyro
I guess the short answer is at this time, no.bigpup wrote:Got any interest in maybe working on this?
http://www.murga-linux.com/puppy/viewtopic.php?t=116824
Maybe making your FrugalPup and StickPup features part of the Puppy Universal Installer.
I've never looked at the Puppy Universal Installer code, so I don't have any idea how much of a pain it would be modify.
But I was looking for something a little bit more like "grub4dos config", that can setup the boot-entries for multiple puppies in one go, hence the split between "Puppy" and "Boot".
gyro
Not sure about that extra file you see.rcrsn51 wrote:Thanks, but you never answered the key question.
Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.
And that flash drive would NOT boot on a machine with Secure Boot enabled.
I did do this with an older version of FrugalPup.
I will have to check on this.
I had to do nothing extra to get it to boot.
Only what FrugalPup did to install the uefi boot loader.
This computer did have Windows 10 on it.
But I completely deleted Windows 10.
On the internal drive did a new partition table msdos and re-partitioned and formatted.
Again, this is on an internal drive, not a USB flash drive.
All the computers with uefi that I have, will not boot from a USB drive if secure boot is enabled.
The UEFI bios will only see a USB drive as a bootable device if secure boot is disabled.
I find it really depends on how the manufacture of the computer setup the UEFI bios to work.
One computer will not even list USB devices as a boot option until secure boot is disabled.
I see from very new information on booting from UEFI with a USB drive.
That some very new computers give a lot more boot options in there UEFI bios setups.
They list more choices for USB drive booting.
EFI boot sources
With USB devices listed.
Legacy boot sources
With USB devices listed.
None of my UEFI computers have it this way.
May have this problem with UEFI booting.
Again, what specific UEFI bios are you dealing with.UEFI based systems such as the Surface Pro or other UEFI systems require that the boot files reside on FAT32 partition. If they are not FAT32 the system may not see the device as bootable.
Even the newest UEFI bios. When using a internal drive with a GTP partition table. Usually has a small first partition, formatted fat32, with the boot files on it.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
Give me a little time and I will see what happens.gyro wrote:@bigpup,
If you get an opportunity, could you please confirm that the latest version of FrugalPup does not produce a uefi boot partition that will work with "SecureBoot".
gyro
Can I just keep the internal drive the way it is.
Just reinstall the boot loader using your latest FrugalPup?
I guess I could delete everything from the boot partition, to make sure none of the old boot loader, is on it.
Understand, I will be running FrugalpPup from a booted USB drive, with secure boot disabled.
After I reinstall the UEFI boot loader.
I will enable secure boot and try a normal boot from the internal drive.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
Well, I may have not done this exactly as you wanted.gyro wrote:@bigpup,
If you get an opportunity, could you please confirm that the latest version of FrugalPup does not produce a uefi boot partition that will work with "SecureBoot".
gyro
I did not mess with the internal drive.
I made a UEFI USB flash drive install.
It boots OK on the right computer, if the UEFI bios gives option to boot from a USB UEFI device.
I started with a freshly partitioned and formatted USB flash drive.
msdos partition table.
Has two partitions
First one a small 1GB partition, fat32 formatted.
2nd one rest of drive formatted ext4.
Used Frugalpup_15.sfs loaded.
Installed a frugal install of Bionicpup64 8.0 to the 2nd partition.
Installed a uefi boot loader to the first partition.
I took this USB flash drive to a computer that will boot from a UEFI USB device.
In the UEFI bios setup.
Secure boot is enabled.
Under boot device order moved UEFI usb device to first item
Saved changes.
Rebooted computer.
It booted with no problem on this computer using this USB flash drive.
On another computer that has no UEFI bios option to boot from a UEFI USB device.
I will see what happens.
I am using this usb to type this.
I will report back.
This is what is on the first partition formatted fat32.
- Attachments
-
- Screenshot.jpg
- (13.53 KiB) Downloaded 293 times
-
- Screenshot(1).jpg
- (17.16 KiB) Downloaded 280 times
Last edited by bigpup on Sat 19 Oct 2019, 19:56, edited 1 time in total.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)