On 20/2/18 3:51 am, Tom H wrote:
On Wed, Feb 14, 2018 at 4:51 PM, Stephen Morris
<samorris@xxxxxxxxxxxxxxx> wrote:
On 14/2/18 8:18 pm, Tom H wrote:
On Mon, Feb 12, 2018 at 4:28 PM, Stephen Morris
<samorris@xxxxxxxxxxxxxxx> wrote:
Thanks Tom. My statement was from having seen other threads on this
list saying to not run grub2-install on an efi system because it
wasn't needed.
You're welcome.
Chris M has said that grub2-install shouldn't be used on an EFI
system. Maybe it does the wrong thing when you don't specify
"--target=...-efi" because the default is "--target=i386-pc".
It could be. As I understand it the default functionality updates the
mbr on the specified device, and from what I've read in other threads,
I thought they said that to get the grub menu displayed at boot you
don't update the mbr on an efi system any more, all that is necessary
is to just run grub2-mkconfig.
I'd be surprised if "grub-install" defaults to "--target=i386-pc" on
EFI if you don't include "--target=x86_64-efi" n the command. Maybe;
but I'd expect grub to detect that it's running on an EFI system...
I suspect grub is detecting which architecture is in use. In my
/boot/efi/EFI/BOOT the only .efi entries in there other than
fallback.efi are x86_64 versions. Also in /boot/efi/EFI/fedora fwupdate
has made what I assume are its 32-bit and 64-bit .efi files executable
and grubx64.efi is also executable. Also /boot/efi/EFI/fedora/grubenv
seems to have its only line, being a saved_entry line, updated every
time the machine is booted to reflect the version of the kernel last
booted from. This surprises me, as I have never installed Win 10, Fedora
27 or Ubuntu 17.10 in efi format, hence as far as I am aware I'm not
using efi even though the motherboard I am using now doesn't appear to
have any means to explicitly turn efi off, other than the SecureBoot
option, which my previous motherboard that did have the capability of
explicitly disabling efi didn't have, also I have SecureBoot disabled in
the bios.
I think that I now remember Chris M's objection. It's that the EFI
executable that "grub-install" drops onto the ESP isn't signed, which
is problematic on SB systems. Ubuntu's "grub-install" has a
"--uefi-secure-boot" option to install a signed EFI executable (I
_assume_ that "/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed" is
copied to the ESP) but Fedora's grub doesn't have either of these so
Chris must be right for the SB case.
I thought that with SB all your drivers etc had to be signed to be able
to boot from a SecureBoot system, and as such Fedora were using
Microsoft certificates, whereas Ubuntu was going down the path of self
signing. Given what you said around the /usrlib/grub/x86_64-efi-signed
directory, which doesn't exist on my system, and if I understood you
correctly doesn't exist in fedora anyway, where are fedora's
certificates, and, if I enable SecureBoot in my bios do I have to also
load the default certificates that the bios offers?
regards,
Steve
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
