On Jul 1, 2014, at 12:35 AM, Matthew Garrett mjg59@srcf.ucam.org wrote:
On Mon, Jun 30, 2014 at 10:35:17PM -0600, Chris Murphy wrote:
On Jun 30, 2014, at 4:20 PM, Matthew Garrett mjg59@srcf.ucam.org wrote:
On Mon, Jun 30, 2014 at 03:09:01PM -0600, Chris Murphy wrote:
Ok for long term. In the next two weeks before freeze is it possible to modify the grub2-efi package spec file GRUB_MODULES= so that the grux64.efi has xnu, xnu_uuid, xnu_uuid_test modules baked in? That would fix the main problem in bug 893179 so that the first two OS X entries would then have a chance of working.
Not unless somebody writes signature checking support for them, no.
Ahh. So without that, it'd be possible to execute arbitrary code masquerading as xnu on a Secure Boot system?
Yeah. One option would be to just disable the code if secure boot is enabled - Macs don't implement it, so that would be fine for basically every real world case. But I'd still prefer to chain the Apple bootloader rather than fiddling with XNU.
I'd say until there's a replacement for os-prober's functionality that can also recognize encrypted OS X installs, and grub2-mkconfig creates OS X boot entries using chainloader rather than xnu modules, the simplest solution is anaconda adding DISABLE_OS_PROBER="True" to /etc/default/grub on Macs.
Upstream's solution mystifies me, it's been broken for ~2 years at least, and while it ought to be working now in GRUB 2.02, it's at the whim of Apple's future kernel changes. So not only is it a maintenance hassle, but it also can't boot encrypted OS X installs. I just tested chainloading the Apple bootloader from GRUB on an encrypted OS X installation and it works.
I'm going to guess a significant minority, if not majority, of OS X users who also install Fedora, are using encrypted OS X installations. Because os-prober doesn't search Apple Boot partition types, and can't read encrypted Core Storage partitions, OS X boot entries aren't created at all for encrypted OS X installs. So we already have a relatively common scenario where there aren't OS X boot entries. So I still think suppressing os-prober on Macs is a better outcome than unencrypted OS X installs having a GRUB menu with four non-working boot menu entries, it also makes the GRUB menu consistent whether the OS X install is encrypted or not.
Chris Murphy