FrugalPup 20 - Puppy frugal installer.

[bigpup]

This computer, I am using to post this, has:
secure boot enabled
legacy boot disabled

Running Bionicpup64 8.0-UEFI

It has two partitions on the internal drive.
a small fat32 formatted partition.
The rest of drive is a large ext4 formatted partition.

The boot files are on the small fat32 partition. (boot partition)
The large ext 4 partition has a frugal install of Bionicpup64 8.0

Used the boot installer part of Frugalpup to install the uefi boot loader.

Note:
The grub.cfg, that is shown in first image, is the one with all the boot information entries.
The other grub.cfg just points to it.

Here are the files on the boot partition.

[rcrsn51]

Thanks, but you never answered the key question.

I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.

Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.

And that flash drive would NOT boot on a machine with Secure Boot enabled.

[foxpup]

Thanks, but you never answered the key question.

I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.

I think you need to.
Enrolling a key will not hurt anyway.
I think that installers from major distros that use secure boot enroll their key during installation.
Their bootloader is signed with their key.
I suppose the bootloader from Fatdog is also signed with their key.
Luckily a signed bootloader also boots with secure boot OFF.

The next question you have asked has been on my mind also and it is important.

And if I get the machine to boot, do I then need a signed kernel?

Once upon a time I have installed Fedora.
With their bootloader I could boot Puppys but I do not remember if I had secure boot on.
So I will set this up again (I never removed the enrolled fedora key) and report back.

[rcrsn51]

I think you need to.

On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.

I have set up UEFI flash drives several ways, including burning the ISO with dd. None of them could get past this point. But maybe this problem is specific to the UEFI on my machine.

So I'm asking again - has anyone other than Bigpup got a Puppy to work with Secure Boot ON?

[foxpup]

Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.

Maybe bootx64.efi is mjg59's shim?
https://mjg59.dreamwidth.org/19448.html

[rcrsn51]

Maybe bootx64.efi is mjg59's shim?

That's what I suspected. Bigpup has done something extra to get Secure Boot support.

Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.

I am waiting for someone to refute this.

[foxpup]

I think you need to.

On my UEFI machine, there was no place to do this. It just reported something like "no signed bootloaders" and quit.

You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.

[rcrsn51]

You need a mokmanager. That is another efi binary.
There is certainly one in Fatdog, extract efiboot.img in the iso.
Put it next to bootx64.efi in EFI/boot.

Here is my bottom line:

To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.

[foxpup]

Here is my conclusion so far: Recent Puppy ISOs are UEFI-compatible, but they are NOT Secure Boot-compatible.

Got to the same conclusion.
Even shim will not change that. "I am waiting for someone to refute this."

Further:
To comply with secure boot we would need to purchase a key from some windows subsidiary
and sign kernel or init or whatever everytime we make another Puppy.

My opinion:
We do not want to go that way!
I don't think there is any security in Secure Boot. In fact, I consider it a case of 'defective by design', vendor lock-in ...
Well, as long as you can disable secure boot, it is not a total vendor lock-in yet.

[rcrsn51]

Yet Bigpup claims to have done it.

[foxpup]

To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.

In general, that is correct.
It is possible there are machines that allow booting unsigned kernels from usb.

Adding a mokmanager in the iso is not a big thing though. Fatdog does that.

The biggest problem is signing the kernel everytime for a new Puppy if you do not have the key/cert to do that.

[foxpup]

Yet Bigpup claims to have done it.

There is no standard for EFI. There are countless variations. It is possible it does work in his EFI and not in another.

[rcrsn51]

There is no standard for EFI. There are countless variations. It is possible it does work in his EFI and not in another.

But I would have thought that the implementation of Secure Boot WOULD be standard. Maybe not.

[gyro]

FrugalPup has never done anything about "SecureBoot".
My assumption has always been that "SecureBoot" would need to be disabled.

But, earlier versions had their .efi code copied from an existing uefi usb stick (maybe clonezilla), and contained both a 'bootx64.efi' and a 'grubx64.efi'.

Recent versions get their .efi code from grub-efi-amd64-bin_2.04-2_i386.deb, a debian package, and contain only 'bootx64.efi'.
This is smaller, simpler to setup, and more appropriate to use. And gives me a way of upgrading to newer versions of grub2.
I'm sure that this version is not signed.

It is possible that the earlier "borrowed" .efi code, may have been signed.
I assumed it was not signed, I never checked. I always have "SecureBoot" disabled, since I still do non-uefi boots with grub4dos.

I "borrowed" the efi code because the efi code available in Puppy had a useless screen before the main boot selection screen, that I found annoying, whereas the "borrowed" code did not.

I intend to continue using the debian .efi code, so FrugalPup/StickPup should continue to require "SecureBoot" to be disabled.

gyro

[gyro]

To install a Puppy on a UEFI machine, I must start with a USB boot. So I have to go into the UEFI setup to change the boot order. So while I'm there, I might as well turn Secure Boot OFF and be done with it. Otherwise, I will need to track down extra stuff that is not included in the Puppy ISO.

My attitude also.
gyro

[gyro]

Got any interest in maybe working on this?
http://www.murga-linux.com/puppy/viewtopic.php?t=116824
Maybe making your FrugalPup and StickPup features part of the Puppy Universal Installer.

I guess the short answer is at this time, no.
I've never looked at the Puppy Universal Installer code, so I don't have any idea how much of a pain it would be modify.

But I was looking for something a little bit more like "grub4dos config", that can setup the boot-entries for multiple puppies in one go, hence the split between "Puppy" and "Boot".

gyro

[gyro]

@bigpup,
If you get an opportunity, could you please confirm that the latest version of FrugalPup does not produce a uefi boot partition that will work with "SecureBoot".

gyro

[bigpup]

Thanks, but you never answered the key question.

I would like to know if they needed to do the additional stuff to register the keys as described by JamesBond.

Also, your EFI/boot folder has an additional .efi file that is not present on the flash drive that I set up with FrugalPup.

And that flash drive would NOT boot on a machine with Secure Boot enabled.

Not sure about that extra file you see.
I did do this with an older version of FrugalPup.
I will have to check on this.


I had to do nothing extra to get it to boot.
Only what FrugalPup did to install the uefi boot loader.
This computer did have Windows 10 on it.
But I completely deleted Windows 10.
On the internal drive did a new partition table msdos and re-partitioned and formatted.
Again, this is on an internal drive, not a USB flash drive.

All the computers with uefi that I have, will not boot from a USB drive if secure boot is enabled.
The UEFI bios will only see a USB drive as a bootable device if secure boot is disabled.
I find it really depends on how the manufacture of the computer setup the UEFI bios to work.
One computer will not even list USB devices as a boot option until secure boot is disabled.

I see from very new information on booting from UEFI with a USB drive.
That some very new computers give a lot more boot options in there UEFI bios setups.
They list more choices for USB drive booting.
EFI boot sources
With USB devices listed.
Legacy boot sources
With USB devices listed.
None of my UEFI computers have it this way.

May have this problem with UEFI booting.

UEFI based systems such as the Surface Pro or other UEFI systems require that the boot files reside on FAT32 partition. If they are not FAT32 the system may not see the device as bootable.

Again, what specific UEFI bios are you dealing with.

Even the newest UEFI bios. When using a internal drive with a GTP partition table. Usually has a small first partition, formatted fat32, with the boot files on it.

[bigpup]

@bigpup,
If you get an opportunity, could you please confirm that the latest version of FrugalPup does not produce a uefi boot partition that will work with "SecureBoot".

gyro

Give me a little time and I will see what happens.

Can I just keep the internal drive the way it is.
Just reinstall the boot loader using your latest FrugalPup?
I guess I could delete everything from the boot partition, to make sure none of the old boot loader, is on it.

Understand, I will be running FrugalpPup from a booted USB drive, with secure boot disabled.
After I reinstall the UEFI boot loader.
I will enable secure boot and try a normal boot from the internal drive.

[bigpup]

@bigpup,
If you get an opportunity, could you please confirm that the latest version of FrugalPup does not produce a uefi boot partition that will work with "SecureBoot".

gyro

Well, I may have not done this exactly as you wanted.

I did not mess with the internal drive.
I made a UEFI USB flash drive install.

It boots OK on the right computer, if the UEFI bios gives option to boot from a USB UEFI device.

I started with a freshly partitioned and formatted USB flash drive.
msdos partition table.
Has two partitions
First one a small 1GB partition, fat32 formatted.
2nd one rest of drive formatted ext4.

Used Frugalpup_15.sfs loaded.
Installed a frugal install of Bionicpup64 8.0 to the 2nd partition.
Installed a uefi boot loader to the first partition.

I took this USB flash drive to a computer that will boot from a UEFI USB device.
In the UEFI bios setup.
Secure boot is enabled.
Under boot device order moved UEFI usb device to first item
Saved changes.
Rebooted computer.
It booted with no problem on this computer using this USB flash drive.

On another computer that has no UEFI bios option to boot from a UEFI USB device.
I will see what happens.
I am using this usb to type this.
I will report back.

This is what is on the first partition formatted fat32.