On 20/2/18 3:51 am, Tom H wrote:
On Wed, Feb 14, 2018 at 4:51 PM, Stephen Morris samorris@netspace.net.au wrote:
On 14/2/18 8:18 pm, Tom H wrote:
On Mon, Feb 12, 2018 at 4:28 PM, Stephen Morris samorris@netspace.net.au wrote:
Thanks Tom. My statement was from having seen other threads on this list saying to not run grub2-install on an efi system because it wasn't needed.
You're welcome.
Chris M has said that grub2-install shouldn't be used on an EFI system. Maybe it does the wrong thing when you don't specify "--target=...-efi" because the default is "--target=i386-pc".
It could be. As I understand it the default functionality updates the mbr on the specified device, and from what I've read in other threads, I thought they said that to get the grub menu displayed at boot you don't update the mbr on an efi system any more, all that is necessary is to just run grub2-mkconfig.
I'd be surprised if "grub-install" defaults to "--target=i386-pc" on EFI if you don't include "--target=x86_64-efi" n the command. Maybe; but I'd expect grub to detect that it's running on an EFI system...
I suspect grub is detecting which architecture is in use. In my /boot/efi/EFI/BOOT the only .efi entries in there other than fallback.efi are x86_64 versions. Also in /boot/efi/EFI/fedora fwupdate has made what I assume are its 32-bit and 64-bit .efi files executable and grubx64.efi is also executable. Also /boot/efi/EFI/fedora/grubenv seems to have its only line, being a saved_entry line, updated every time the machine is booted to reflect the version of the kernel last booted from. This surprises me, as I have never installed Win 10, Fedora 27 or Ubuntu 17.10 in efi format, hence as far as I am aware I'm not using efi even though the motherboard I am using now doesn't appear to have any means to explicitly turn efi off, other than the SecureBoot option, which my previous motherboard that did have the capability of explicitly disabling efi didn't have, also I have SecureBoot disabled in the bios.
I think that I now remember Chris M's objection. It's that the EFI executable that "grub-install" drops onto the ESP isn't signed, which is problematic on SB systems. Ubuntu's "grub-install" has a "--uefi-secure-boot" option to install a signed EFI executable (I _assume_ that "/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed" is copied to the ESP) but Fedora's grub doesn't have either of these so Chris must be right for the SB case.
I thought that with SB all your drivers etc had to be signed to be able to boot from a SecureBoot system, and as such Fedora were using Microsoft certificates, whereas Ubuntu was going down the path of self signing. Given what you said around the /usrlib/grub/x86_64-efi-signed directory, which doesn't exist on my system, and if I understood you correctly doesn't exist in fedora anyway, where are fedora's certificates, and, if I enable SecureBoot in my bios do I have to also load the default certificates that the bios offers?
regards,
Steve
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org