В Fri, 27 Mar 2015 13:04:04 -0600
Chris Murphy
On Fri, Mar 27, 2015 at 11:51 AM, Andrei Borzenkov
wrote: Secure Boot chainloading of the Windows bootloader does not need any patches. It is signed and will pass verification when loaded by standard EFI chainloader. Patches are needed to allow loading of non-signed (at least, by Microsoft or in general signed by keys unknown to firmware) EFI executable.
https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-se...
With Secure Boot enabled, openSUSE GRUB's Windows menu entries work.
On Fedora and Ubuntu, they don't work, unless Secure Boot is disabled and then the menu entries work. https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1091464 https://bugzilla.redhat.com/show_bug.cgi?id=1170245
I tried to reproduce it (using QEMU with OVMF + Microsoft keys) but unfortunately Windows 2012 R2 preview image I downloaded fails to boot when secure boot is enabled. Apparently bootloader from this image is not signed indeed: bor@opensuse:~/src/linux> pesign -S -i /tmp/esp/bootx64.efi No signatures found. If you have Windows installation with working secure boot enabled, could you please send me \EFI\Windows archive?
They don't do it that way, it's done mainly with Fedora's mactel-boot and anaconda/blivet packages. They create an HFS+ volume to use as a faux EFI System partition; and do not use the actual FAT32 EFI System partition at all (neither does Apple). What this enables is a way to choose Fedora from the OS X > System Preferences > Startup Disk panel, which is where a user typically chooses to change OS's (between OS X versions, Windows, and now also Fedora).
Grub includes grub-bless utility for OS X. I wonder, if this is exactly what is required.
I've suggested on upstream GRUB list that grub2-mkconfig should stop using these CSM-BIOS xnu modules to boot OS X, and instead chainload the Apple bootloader, but no one has volunteered to do this work.
I already told you that grub is using whatever os-prober returns. It is up to os-prober to return EFI chainloader entry.
That's still a static configuration approach, but more sane than the one we have now that grub.cfg has become at least as much a sophisticate shell script, rather than a strict boot entry configuration file. Preferably dynamic discovery would be superior, like Apple's boot manager, gummiboot, and rEFInd.
I'm not happy with it either but no amount of "oh, this should be changed" is going to change it. Please suggest alternative. And do not forget that everything you named supports rather limited environment comparing with grub. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org