Been down the rabbit hole lately of UEFI Secure Boot issues, and decided to write an overview of how it works out-of-the-box in the excellent Debian-based Linux Mint LMDE 6.
Have mostly been researching this stuff as I was looking to replace GRUB entirely with systemd-boot on one of my systems. Will likely write a follow-up piece documenting that journey if I think it’d be interesting to some nerds out there.
If you want to experiment with UEFI you don’t need systemd-boot either, just create an efi bootable kernel and direct boot it. reFind is still around I think too for graphical boot (although that’s mainly used by macs… apple users like guis :p).
If distros signed the bootloaders with their own keys, then I would configure my system to only use those keys and not include Microsoft’s.
Interesting. I guess this could be a method to allow actual full disk encryption? Unless there’s a way to have grub encrypted too?
[This comment has been deleted by an automated system]
Perhaps I missed it when skimming the article, but why were you looking to replace GRUB?
In case it was in the article, it might be worth adding that information up here.
Good question! There’s a few reasons, I guess:
- There’s a large element of “because I can” to this, just to explore how stupid the scope of systemd is as a suite.
- There’s a small practical element. GRUB itself is quite a hefty tool to accommodate all kinds of boot setups, and it works well. If you have a simple boot setup though you could probably shave a couple of seconds off of the boot time just by using the simplified sd-boot and loading the kernel via its EFIStub.
- A learning exercise in self-signing EFI binaries, enrolling a MOK (if I use Shim), and setting up scripts to handle updates.
All boils down to my enjoyment of doing weird nerdy things though, ultimately. =)
