LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Hardware (http://www.linuxquestions.org/questions/linux-hardware-18/)
-   -   No Boot on UEFI box (Samsung 350V) (http://www.linuxquestions.org/questions/linux-hardware-18/no-boot-on-uefi-box-samsung-350v-4175441330/)

business_kid 12-13-2012 11:42 AM

No Boot on UEFI box (Samsung 350V)
 
I've had a go at this, and sense I'm close, so I'm asking for help now.

I'm working with This Box

From these docs:
Slackware's Doc
but I can't set usb boot capability, and

http://www.rodsbooks.com/efi-bootloaders/elilo.html

I have SAMSUNG 350V, AMI BIOS Version P03ABE, & MICOM Version P03ABE. Of the new crop of laptops, it's certainly one of the more stubborn to get linux onto, and I imagine Samsung have bent over backwards to facilitate m$ :-(.

in the EFI System Partition, I now have:
EFI/
EFI/Boot/ with bootx64.efi, bzImage-3.6.10-dec.efi, elilo.conf, elilo.efi
EFI/Microsoft/ Who cares what's here?
EFI/Slackware/ Basically the same as Boot/

The default file is EFI/Boot/bootx64, which is now an elilo file, but there's no joy. Every helpful download that m$ had on it's site has vanished, and there's a massive number of broken links in all of this. On top of this, there's more developer packages than user ones. On the box, I have installed a lot of stuff. Elilo doesn't ship with filesystem drivers, so it relies on the start up software (Better words than BIOS) handling that stuff. So everything has to go right where it is. Elilo doesn't even have a 'make install' target. It makes elilo.so & elilo.efi. The elilo.efi I know what to do with - what about the lib?

Elilo.conf reads:

prompt
chooser=textmenu
timeout=50
default=Slackware

image=bzImage-3.6.10-dec.efi #has the efi stub option set)
label=Slackware
read-only
root=/dev/sda8

Do I have to run elilo in all boot changes, dangers, temptations & afflictions like one did with lilo??

I have secure boot disabled, and am running on a boot order of
1. CD
2. Hard disk with no mention of secure boot
3. UEFI Secure Boot for windows.

If I take out the CD, & reboot, I get a generic error about "please insert
a disk in selected boot device and press any key" the UEFI equivalent of the middle finger. Ditto if I disable Secure boot while booting from hd. In the Microsoft directory, there's bootmgr.efi, memtest.efi, and bootmgfw.efi, which look promising, but I can't get to them. Samsung has no information _at_all_ available on this. There has to be a shell somewhere. I have a download and an EDK environment to build it with, but this is all a bit beyond the average luser.

Can anyone point me from their success?

Ztcoracat 12-13-2012 12:23 PM

Looking for articles that can help you-
Found these:
http://social.msdn.microsoft.com/For...6-166dddf32205

Here is a PDF about Samsung and Windows 8 with UEFI that might help:
Using the Samsung Series 7 Slate (700T) with Windows 8 ...
Adobe PDF
Samsung Support can only respond to support issue with the version of ...  Configure system firmware for UEFI Boot  Install Windows 8 Customer Preview
http://www.samsung.com/global/window...ta/1_Using_the...
More results from samsung.com

http://blogs.msdn.com/b/b8/archive/2...with-uefi.aspx
http://www.neowin.net/news/microsoft...-uefi-concerns

How To Dual Boot Ubuntu and Windows 8
http://techmell.com/how-to/dual-boot-ubuntu-windows-8/
http://www.linuxquestions.org/questi...ux-4175433507/

Windows + Slackware Dual Boot
http://www.linuxforums.org/forum/sla...dual-boot.html

Hope this helps and I wish you the best!;)

business_kid 12-14-2012 11:33 AM

@Ztcoracat: Thanks for the docs. I'll go through them. I'm beginning to realize many of them are just plain WRONG as far as windows 8 is concerned, because m$ insists on windows 8 pcs having a DB of approved keys in nvram. This isn't a UEFI restriction, this is an M$ restriction.

Legacy Boot requires an MBR. I've just booted my windows 8 box on an MBR formatted disk. Secure boot is disabled and Legacy OS is set. I can (and have been) booting from the CD also. This is what some windows head says:
Quote:

While all Windows can boot from a MBR disk, you can only boot from a GPT disk if you have a operating system (see below) that supports GPT and your motherboard has a EFI BIOS and is enabled. Windows 7 and Vista does support booting from a GPT disk.
If you want to boot off a GPT disk, you're into Secure boot. Period. The best doc I have found so far is This_One

The GNU tools are out there, but the certificates registered with m$ (and consequently accepted by the system) are not. For me, the choice is simple. I can either

1. Keep the most unusable version of windows ever written for the foreseeable future. :banghead:

2. Clear the disk, and go to legacy boot with an mbr. :D

3. Fart about endlessly hacking into my own system trying to run under secure boot.:banghead:

For the benefit of anyone testing software in this area, I have 6 partitions:
1 - Recovery for EFI, 2 - ESP, 3 - 'm$ reserved' 128mb & unreadable, 4 - drive C, 5 - RecoveryImage for W8, 6 -data/ Backup/restore stuff.

I can access BIOS type setup to disable secure boot, and F4 & F5 bring me to an M$ recovery setup. That's it. No shell, except through windows. Adding Keys seems to pose a significant obstacle, where nothing is documented and it's like trying to crack a safe. I did find a shell for download, and the EDK environment needed around it to build, but they're windows stuff and I'm not into building windows software.

business_kid 12-14-2012 01:58 PM

I got to some of those links. This may save others time.
Quote:

Originally Posted by Ztcoracat (Post 4848648)

This is how to INSTALL windows 8. You were kind to think of every option, Ztcoracat, but I'm not going there.
Quote:

Originally Posted by Ztcoracat (Post 4848648)

Broken link from Ireland :-O
m$ telling people secure boot isn't what it is :-/.
Quote:

Originally Posted by Ztcoracat (Post 4848648)

This one is on the ball. Unfortunately, Ubuntu-12.10 shipped with shim-0.1 from Matthew Garret which lacked functionality, and you really need shim-0.2. This is coming, I believe, in Ubuntu-13.04 and Fedora 18, and probably the next SuSE release as well.
Quote:

Originally Posted by Ztcoracat (Post 4848648)

The doc in docs.slackware.com is nice for windows 7. Doesn't cut it for windows 8. No Key insertion, so linux is not seen/rejected.

For this to work there have to be 3 keys. A personal key, a platform key, and a private key (Manufacturer's and registered with m$). I have to lead the private key into the nvram database of such keys.

Another Catch-22 is this: The only way to boot with a GPT disk is secure boot. With Secure boot disabled, I'm down to the Slackware DVD, using the kernel-3.2.29. To get loading stuff into the db & boot order, the only shell I can use is efibootmgr. That requires the efi_vars module. Slackware's 3.2.29 doesn't ship with efi_vars :-(. I have 3.6.10 on disk with everything, but I can't get it to load. All that farting about, to keep the @$%#-iest windows ever!

The only thing that stopped me wiping windows entirely tonight is that it's such a perfectly locked up and locked out system, it would be nice to keep it and have the disk there for developers to test their ideas on. If they get going on this one, they're good!

Ztcoracat 12-14-2012 02:57 PM

If it were me; Mate I Would Be really ticked off-

Thanks for saying I was kind to think of everything:hattip:
I certainly hope that your able to overcome this most undesirable nonsense-

Quote:

This isn't a UEFI restriction, this is a M$ restriction
I agree and my room mate said the same thing. A lot of folks are really unhappy about this whole thing.In fact, I can't imagine what M$ has to gain by doing this. In my mind this is bad business practices focusing on one thing- 'pure profit' IMO

Quote:

For this to work there have to be 3 keys. A personal key, a platform key, and a private key (Manufacturer's and registered with m$). I have to lead the private key into the nvram database of such keys.
This sounds complicated and is somewhat above my head.
I remember reading about a platform key but the personal key is news to me.
Think I better :study: some more.

I see; you have 3.6.10 Kernel on disc but can't get it to load-
I'm sorry that your frustrated; I feel for ya-
Wish I could help more-

If I find any other articles or a light bulb in this head of mine lights up I'll write ya another post-
Off to do more re-search and :study:

Ztcoracat 12-14-2012 03:31 PM

Reviewing the notes I wrote by hand I'm sharing what I found.
If your already aware; pardon me repeating what you are already educated on-

For Linux to access UEFI Runtime Services, the UEFI Firmware processor architecture and the Linux Kernel processor must match. It is independent of the bootloader used.

A man at Canonical was able to create his own securied binaries that will boot and work on a UEFI Linux Secured System. I think he achieved it by extracting the Operating System's Vendors key exchange key from it and installed it to the database. (These keys you already mentioned) This tool would be activated by the UEFI System as soon as it saw the un-autherised media inserted so the platform owner could decide whether they wished to accept the key for OS install and boot.

I tried going here 3 times and my browser didn't comply-(page was re-set)
http://fedoraproject.org/wiki/Features/EFI
And a PDF@
http://www.linuxfoundation.org/publi...open-platforms

Here's something I didn't know:
UEFI application may launch another application (in case of UEFI shell or a boot MGR like rEFlnd) or the kernel and initramfs (in case of bootloader; Grub 2) Depending on how the UEFI application was configured.

Legacy mode is no-EFI mode; right?

onebuck 12-14-2012 04:09 PM

Member Response
 
Hi,
@ Ztcoracat Your link is broken, correct link: Making UEFI Secure Boot Work With Open Platforms

Other Useful UEFI links from Linux Foundation: http://www.linuxfoundation.org/search/node/UEFI

Ztcoracat 12-14-2012 04:25 PM

Thanks Onebuck for the correction!:)

Ztcoracat 12-14-2012 04:30 PM

Good information to learn from in regard to taking control of all the keys!
http://blog.hansenpartnership.com/uefi-secure-boot/

Still studying-

business_kid 12-15-2012 03:16 AM

Quote:

For Linux to access UEFI Runtime Services, the UEFI Firmware processor architecture and the Linux Kernel processor must match. It is independent of the bootloader used.
I didn't know that! It makes my temporary solution more appealing.

I bought an ssd on ebay last night - a small one, but a new disk nevertheless. It's going in, formatted with an mbr, and secure boot is being disabled. That will work. I know it will work because I've already tried it. My HD I am keeping as is for the moment.

Onebuck, you being a moderator type, can you notify the various distro maintainers that they have the most awkward box imaginable sitting here in Ireland ready to test their attempts? I can shove the disc back in and they can ruin it - I don't care. It's backed up, and not in use.

And the box is bad: With Secure Boot on, it won't look at the CD/DVD unless I'm mistaken; It doesn't boot usb in any case. It will boot PXE with F12 pressed at boot. No shell is supplied that I can find - just a 'windows recovery' program. Grub2 just craps out on it (Does grub2 do anything else?). Fedora's grub-legacy & grub-efi say "Failed to embed stage1 ... failed to embed stage2). Elilo is ignored. There is a 'bootmgr.exe' buried somewhere in the windows stuff. No documentation :-(.

onebuck 12-15-2012 07:56 AM

Member Response
 
Hi,

I wish things were that easy. Most active maintainers are doing their best to interact with their user base when necessary to keep things working for the distribution. Look at Slackware as an example, PV does lurk and interact at times on Slackware forums. Very receptive to the user base input. Not to say changes are made all the time but that the mood along with experiences do help to improve the distro.

'UEFI' is not new, 'Secure Boot' is Microsoft's way of implementing the protocol to insure their OS for the user base. Researching 'UEFI' protocol and how the future with OEM equipment that will or are using 'Secure boot' so I will know how or when things can be done too utilize hardware with Open Source. Every user needs to be aware of the abilities to use the hardware and how with open source on this same hardware. if at all. If the machine has a Microsoft Windows 8 logo you should be able to implement via disable or jump through the right hoops to get a install on the equipment by use of Key Exchange Keys (KEK) that can be added to a database stored in memory to allow other certificates to be used. But the KEK must be connected to the systems private part of the platform key. If not done properly then you will have errors.

Please be aware that their are to many rumors or just plain 'FUD' that conflicts the situation thus creating uncertain situation for those that are not fully aware of the what & how concerning 'UEFI' protocol and the feature use of 'Secure boot' protocol by Microsoft.

'UEFI' is necessary for the future of computing. 'BIOS" has been extended via hacks to implement newer abilities/capabilities for ever changing computer hardware. We need this expansion, 'UEFI' protocol is not a bad thing, just a necessity to extend capabilities for newer hardware & software.

Linux users will do everything to prevent root kits or other means to prevent unwanted access to their system. I look at 'UEFI' as means to improve the methods from a firmware perspective to allow full use of hardware instead of the BIOS way. BIOS has to many holes and hacks to get hardware to work thus vulnerable.

business_kid 12-15-2012 08:02 AM

I should have made myself clearer.

If anyone wants to put a distro out, he is going to have to take UEFI on henceforth. Here is the toughest obstacle they are likely to meet. If nobody needs that, it's OK, and I'll reformat the drive sometime.

I personally feel pxe may be the way to do it - it seems easier than the other options.

onebuck 12-15-2012 09:30 AM

Member Response
 
Hi,
Quote:

Originally Posted by business_kid (Post 4849816)
I should have made myself clearer.

If anyone wants to put a distro out, he is going to have to take UEFI on henceforth. Here is the toughest obstacle they are likely to meet. If nobody needs that, it's OK, and I'll reformat the drive sometime.

I personally feel pxe may be the way to do it - it seems easier than the other options.

'UEFI' protocol is not the issue. You can now use 'UEFI' protocol. 'Secure boot' is a 'UEFI' feature that Microsoft is implementing. That is an issue when one cannot disable 'Secure boot', most OEM will provide the means to disable. You can then use the machine as legacy 'BIOS' mode for standard 'PXE' or work with 'UEFI PXE' KEK to provide the means to install. Linux kernel does provide the means, the user will have to learn to use things properly.

My question to you is how 'PXE' is the way to do what? How do you expect to enable the 'PXE' via 'UEFI'? 'UEFI PXE' is available. You will still need to integrate KEK for that install. You could use 'iPXE' (work in progress) to do a standard install;
Quote:

from http://www.ipxe.org/efi/vision
A large part of the success of iPXE has come from going beyond the constraints of the standard PXE model. Users choose iPXE because of its ability to perform tasks beyond the scope of a legacy PXE ROM: tasks such as booting via HTTP, booting via iSCSI, controlling the boot process with a script, creating dynamic menus, etc. Conformance to the PXE specification is a necessity, and is required in order for iPXE to be provided as an OEM PXE stack, but it is the more advanced features which make iPXE a success.

The push towards UEFI firmware currently represents a downgrade in the user experience of network booting. UEFI has adopted a model that is essentially identical to the legacy PXE specification. iPXE currently provides only a vanilla SNP interface within the UEFI environment, and the user experience is therefore limited to a standard UEFI network boot; the advanced features of iPXE (such as HTTP, DNS, scripting, etc) are not yet available.....

The guiding principle is that iPXE should go beyond the constraints of the standard UEFI model, in order to replicate the success that it has achieved by going beyond the constraints of the standard PXE model.
Work in progress! Plus you will need the ROM. Standard 'PXE' would not work with 'UEFI' protocol, you would need to set to 'BIOS' mode then do install via standard 'PXE'. Your machine would be in 'BIOS' mode.

HTH!

business_kid 12-15-2012 11:50 AM

This is a good place to lay that stuff down, because people will search these threads for their own answers.
I spent the last week reading up on this stuff and while I wouldn't claim to be the world's expert, I did get an idea of what was involved. For me, windows is not worth it.

My experience on this box with Secure boot enabled:
No access to any shell, short of vandalizing the m$ boot. If you do that, it's recovery recreates the m$ boot, AFAICT. No usb boot; No CD boot. Only pxe, with which I haven't experimented. When windows 8 is booted, the ESP is examined and "Fixed" without any option to avoid it.

With Secure Boot disabled, I have cd boot. No GPT Boot, so the disk won't boot. Just mbr & CD boot works with secure boot disabled.

To my mind, that's a pretty wilful way of locking out competitor OSes in an attempt to prop up the worst version of windows ever. Installing isn't out of the question, but dual boot certainly seems to be.

Ztcoracat 12-15-2012 12:13 PM

Quote:

To my mind, that's a pretty wilful way of locking out competitor OSes
Agreed; business_kidd-
However; I can't seem to wrap my mind around why this has become a normal practice and what exactly are the motives to repeat this over and over again.(Other than mass produce to provide a corporation profit) This is just my thoughts and opinions but I think that if one (meaning a individuial, group, corporation)does enough bad it comes back.

In my mind this practice of producing this Unified Extensible Firmware Interface is generating positive and negative energies and a hint of upheavel. The average folks that have PC may have extream difficulity trying to figure/configure this equation out-

I'll think twice before I purchase another PC in the future.

I wish you the best business_kidd and I hope that your distro is now functional on your new computer.

This is a great thread to learn from; I'll teach it to noobs if I'm asked-

Have a great weekend!


All times are GMT -5. The time now is 12:12 AM.