Recently I've had to deal with issues booting using UEFI as outlined in my Linux Boot Failure! Debugging UEFI Boot Issues blog post, where I also go into detail about UEFI and the UEFI boot process.

Been down the rabbit hole lately of UEFI Secure Boot issues, and decided to write an overview of how it works out-of-the-box in the excellent Debian-based Linux Mint LMDE 6.

Have mostly been researching this stuff as I was looking to replace GRUB entirely with systemd-boot on one of my systems. Will likely write a follow-up piece documenting that journey if I think it’d be interesting to some nerds out there.

  • henfredemars@infosec.pubEnglish
    5·
    1 year ago

    Perhaps I missed it when skimming the article, but why were you looking to replace GRUB?

    In case it was in the article, it might be worth adding that information up here.

    • TiffyBelle@feddit.ukOPEnglish
      201·
      1 year ago

      Good question! There’s a few reasons, I guess:

      • There’s a large element of “because I can” to this, just to explore how stupid the scope of systemd is as a suite.
      • There’s a small practical element. GRUB itself is quite a hefty tool to accommodate all kinds of boot setups, and it works well. If you have a simple boot setup though you could probably shave a couple of seconds off of the boot time just by using the simplified sd-boot and loading the kernel via its EFIStub.
      • A learning exercise in self-signing EFI binaries, enrolling a MOK (if I use Shim), and setting up scripts to handle updates.

      All boils down to my enjoyment of doing weird nerdy things though, ultimately. =)

      • cdombroskiEnglish
        1·
        1 year ago

        Using systemd-boot with the shim is definitely doable, you just have to name the systemd-boot loader as grubx64.efi in the EFI/BOOT directory. After that, you just need to sign any dkms modules with a key imported into MOK and register the hash of systemd-boot with MOK

      • henfredemars@infosec.pubEnglish
        45·
        1 year ago

        In the interest of politeness I reserved my initial reaction of absolute horror that this would even be attempted by systemd.