Ubuntu Most Secure?

Other talk about Salix
User avatar
mimosa
Salix Warrior
Posts: 3311
Joined: 25. May 2010, 17:02
Contact:

Re: Ubuntu Most Secure?

Post by mimosa »

Code: Select all

Did you add a boot menu entry pointing to the the refind bootloader (refind_x86.efi) in the refind directory on the existing HDD ESP partition?
Shouldn't this already be there? This hard disk was working perfectly in my old box, and I simply transferred it. When it didn't boot, I looked in the BIOS, which appeared to be set to boot legacy only.

I have contacted the vendor, and am having some difficulty getting them to understand the problem. It is quite possible that I am failing to interpret correctly the options the BIOS offers the user. For example, maybe there is some "feature" somewhere I could turn off, which would allow me to enable EFI without secure boot.

Of course, the scenario that I apparently face is just the one everyone got so exercised about a year or two ago when EFI first became a concrete prospect. It doesn't matter to me in practice, because I have no interest in dual booting - but it would be nice in principle to benefit from the extra security EFI is supposed to offer.

What is more pressing is if users wishing to dual boot Salix with Windows start to encounter something similar, they might be deterred. So I'm keen to spot whatever it is I'm missing, if that is so.
User avatar
mimosa
Salix Warrior
Posts: 3311
Joined: 25. May 2010, 17:02
Contact:

Re: Ubuntu Most Secure?

Post by mimosa »

Everything now seems to be ok. Either this is because I hit upon the right set of options to select in the BIOS, or it was working all along.

That is, the HDD didn't initially boot, but had I reinstalled rEFInd after I chrooted into it, or just run eliloconfig, maybe all would then have been well. I'm not sure why this step should have been necessary though, as the same HDD was booting the Salix installation fine in the old box.

Currently, not only does rEFInd work, but when I ran eliloconfig, the system just booted straight into Salix. Since I'm not actually dual booting, this is fine - though I did get pretty used to seeing rEFInd,and the Salix logo, on boot.

I have enabled CSM (which must be disabled for secure boot, in this BIOS at least) and set it to require UEFI for various sub-items. I can't remember what the original settings were; it may have been to boot legacy only, but I'm not sure at this stage.

In conclusion, the only scenario in which this might all be a problem would be if Windows starts to require that it be booted with secure boot. Then as far as I can see, someone wishing to dual boot might not easily be able to.
User avatar
laprjns
Salix Warrior
Posts: 1105
Joined: 28. Aug 2009, 01:30
Location: Connecticut USA

Re: Ubuntu Most Secure?

Post by laprjns »

mimosa wrote:Shouldn't this already be there? This hard disk was working perfectly in my old box, and I simply transferred it.
No the pointers that the UEFI firmware uses to boot a boot loader are stored in the computers NVRAM. So it you install a hard disk from a computer that was UEFI booting without problems into another computer, the second computer uefi firmware will not have a pointer (i.e menu entries) in it NVRAM to any bootable uefi image on the disk. You need to create this pointer (menu entry) either using the uefi setup (BIOS setup) or efibootmgr (guefi). But of course to use efibootmrg or guefi, you need to be able to boot into a Live version of a linux distro.
mimosa wrote:When it didn't boot, I looked in the BIOS, which appeared to be set to boot legacy only.
Well if it set to legacy mode only then it will not obviously uefi boot. However, if this really is a recent uefi implementation, then I would think that it has only two possible modes; UEFI and CMS with allows for booting either in legacy or uefi mode. Have you tried bringing up the uefi firmware boot menu by pressing the appropriate key right after boot up. I say the appropriate key because it is a different key depending on the hardware manufacture. For my Asus laptop I bring up the uefi boot menu by pressing the "ESC" key right after pressing the power key. On my desktop with an MSI motherboard the uefi menu is activated by pressing the F11 key after pressing the power key. Your really need to try this, as the list of boot option that will be presented will give you and idea of exactly what mode it is in. I suggest that you have a Salix USB installation stick plug in when doing this. If the computer is in CMS mode you should see a uefi and legacy boot option for it.
mimosa wrote:I have contacted the vendor, and am having some difficulty getting them to understand the problem.
I wouldn't be surprised that they know even less about UEFI booting than we do :).
It is quite possible that I am failing to interpret correctly the options the BIOS offers the user. For example, maybe there is some "feature" somewhere I could turn off, which would allow me to enable EFI without secure boot.
If this is truly a new computer then I don't believe that uefi mode can only be enable with Secure Boot turn on. UEFI has been around a lot longer than Secure Boot with Secure boot introduce as an optional feature of UEFI around 2010. However there is nothing simple about understanding and configuring uefi firmware (BIOS). Each hardware vendor seems to configure there firmware differently in many cases using different terminology for what is essentially the same function or feature. For an example. the two computers that I mentioned above both have AMI firmware version 2.15.1227, yet there are several differences. The MSI desktop has an called "Windows 8 configuration" in the "advance" tab which when enable opens up the Secure Boot options. The laptop has no such Window 8 configuration option and the Secure Boot option are located in the "Security" tab. So very confusing yes, with a need to be configured differently, but in the end they both can be configured to multi-boot os using uefi and secure boot off.
Of course, the scenario that I apparently face is just the one everyone got so exercised about a year or two ago when EFI first became a concrete prospect.
No I think your case is different. You had an expectation that simplely installing a hardisk into a new computer.it would boot up just like it did in the original computer that it was installed in. You were missing the fact that there needs to be a pointer in the computers UEFI firmware that points to the uefi bootable images (refind_x64.efi in your case)in order to boot.

I suggest that you start over again. First set the firmware (BIOS) back to it defaults, turn Secure boot off, plug ins a SalixLive USB stick, press the power on button quickly followed by whatever key you need to press to bring up the internal boot option menu. Better yet, instead of the Salix Livestick, use a rEFInd bootable flash drive. Just download the image from here:
http://sourceforge.net/projects/refind/ ... p/download
an dd it to a USB flash drive. Once booted, rEFInd will detect all your bootable images on your hdd.
“Don’t you see that the whole aim of Newspeak is to narrow the range of thought?"
User avatar
mimosa
Salix Warrior
Posts: 3311
Joined: 25. May 2010, 17:02
Contact:

Re: Ubuntu Most Secure?

Post by mimosa »

Thanks very much, laprjns. I think our posts crossed - but it does indeed look as though this is what I was missing:
You had an expectation that simplely installing a hardisk into a new computer.it would boot up just like it did in the original computer that it was installed in. You were missing the fact that there needs to be a pointer in the computers UEFI firmware that points to the uefi bootable images (refind_x64.efi in your case)in order to boot.
That's a classic "bootstrap" problem - but Salix users won't normally face it as they will be doing a fresh install.

EDIT

I do wonder about one thing, just out of curiosity. The firmware can't see what to boot on the HDD unless there are pointers in nvram. So how does it recognize the boot options on a USB medium?

Clearly, in this particular case, that worked, because I was able to boot both a Salix install image, and Live, and get into my hard disk Salix installation that way.
User avatar
laprjns
Salix Warrior
Posts: 1105
Joined: 28. Aug 2009, 01:30
Location: Connecticut USA

Re: Ubuntu Most Secure?

Post by laprjns »

mimosa wrote:I do wonder about one thing, just out of curiosity. The firmware can't see what to boot on the HDD unless there are pointers in nvram. So how does it recognize the boot options on a USB medium?

The uefi firmware creates a temporary pointer for any removable media that has a bootable image in the EFI/BOOT/ directory of a FAT formatted partition. Specifically on x86_x64 machine it looks for a file named bootx64.efi in the EFI/BOOT/ directory.
“Don’t you see that the whole aim of Newspeak is to narrow the range of thought?"
Post Reply