On Jul 1, 2014, at 12:35 AM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > On Mon, Jun 30, 2014 at 10:35:17PM -0600, Chris Murphy wrote: >> >> On Jun 30, 2014, at 4:20 PM, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: >> >>> On Mon, Jun 30, 2014 at 03:09:01PM -0600, Chris Murphy wrote: >>> >>>> Ok for long term. In the next two weeks before freeze is it possible >>>> to modify the grub2-efi package spec file GRUB_MODULES= so that the >>>> grux64.efi has xnu, xnu_uuid, xnu_uuid_test modules baked in? That >>>> would fix the main problem in bug 893179 so that the first two OS X >>>> entries would then have a chance of working. >>> >>> Not unless somebody writes signature checking support for them, no. >> >> Ahh. So without that, it'd be possible to execute arbitrary code masquerading as xnu on a Secure Boot system? > > Yeah. One option would be to just disable the code if secure boot is > enabled - Macs don't implement it, so that would be fine for basically > every real world case. But I'd still prefer to chain the Apple > bootloader rather than fiddling with XNU. I'd say until there's a replacement for os-prober's functionality that can also recognize encrypted OS X installs, and grub2-mkconfig creates OS X boot entries using chainloader rather than xnu modules, the simplest solution is anaconda adding DISABLE_OS_PROBER="True" to /etc/default/grub on Macs. Upstream's solution mystifies me, it's been broken for ~2 years at least, and while it ought to be working now in GRUB 2.02, it's at the whim of Apple's future kernel changes. So not only is it a maintenance hassle, but it also can't boot encrypted OS X installs. I just tested chainloading the Apple bootloader from GRUB on an encrypted OS X installation and it works. I'm going to guess a significant minority, if not majority, of OS X users who also install Fedora, are using encrypted OS X installations. Because os-prober doesn't search Apple Boot partition types, and can't read encrypted Core Storage partitions, OS X boot entries aren't created at all for encrypted OS X installs. So we already have a relatively common scenario where there aren't OS X boot entries. So I still think suppressing os-prober on Macs is a better outcome than unencrypted OS X installs having a GRUB menu with four non-working boot menu entries, it also makes the GRUB menu consistent whether the OS X install is encrypted or not. Chris Murphy -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
