grub2 build instructions


Quick instructions for build of bootx64.efi


1. Install Ubuntu 64-bit in VBox as UEFI VM (not MBR boot or complied bootx6.efi will give grub-efi-scure-boot not founderror when running ISOs, etc.!)

Note: seems to stick on remove CD - so reset

If doesn't boot to UEFI then boot from UEFI shell
fs0:
cd EFI
cd ubuntu
cp grubx64.efi bootx64.efi
bootx64
Once in terminal type
sudo su
grub-install

2. terminal sudo su - for elevated rights

3. git clone git://git.savannah.gnu.org/grub
4. cd grub
apt get install bison flex autoconf libdevmapper-dev
sudo apt install grub-efi-ia32-bin grub-efi-amd64-bin grub-pc-bin grub2-common grub-efi-amd64-signed

sudo apt-get install bison libopts25 libselinux1-dev autogen m4 autoconf help2man libopts25-dev flex libfont-freetype-perl automake autotools-dev libfreetype6-dev texinfo

make distclean
./autogen.sh
./configure --target=x86_64 --with-platform=efi
make

make check (takes ages for some reason!)


./grub-mkimage -O x86_64-efi -d . -o grub.efi -p "" boot normal part_gpt fat ext2 lvm configfile lspci ls reboot datetime loadenv search help video efi_gop

./grub-mkimage -d ./grub-core -o bootx64.efi -O x86_64-efi -c ./grub-buildin.cfg -p /foobar biosdisk part_msdos fat ntfs exfat configfile ls echo cpuid loopback regexp read bsd probe ext2

Note the two additional modules
video and efi_gop which were not required in previous releases of GRUB2. The efi_gop module is for use with UEFI firmware that implements the Graphic Output Protocol which pretty much all UEFI implementations do. If your system firmware implements the older UGA ((Universal Graphics Adapter) Protocol which was part of the EFI 1.1 specification (older Apple Macs for example), then use the efi_uga module instead. If you use the wrong module, typically you will get an Error: no suitable mode found message but your system will continue to boot and you may or may nor be able to see anything on your screen.


foobar does not need to exist (get error if not specified). grub-buildin.cfg example - see below.


for pc build, best to keep core.img below 32k so fits between MBR and 2st partition (63 sectors).

Quicker method??
mount
apt install grub-efi-ia32-bin grub-efi-amd64-bin grub-pc-bin grub2-common grub-efi-amd64-signed
grub-install --removable --no-nvram --no-uefi-secure-boot --efi-directory=/mnt --boot-directory=/mnt --target=i386-efi
grub-install --removable --no-nvram --no-uefi-secure-boot --efi-directory=/mnt --boot-directory=/mnt --target=x86_64-efi
grub-install --removable --boot-directory=/mnt --target=i386-pc /dev/sdX
This did not seem to work (unbootable grubx64.efi) - grub-install --removable --no-nvram ---uefi-secure-boot --efi-directory=/mnt --boot-directory=/mnt --target=x86_64-efi


Signing??

In order to boot on the widest range of systems, Ubuntu uses the following chain of trust:
Microsoft signs Canonical's 'shim' 1st stage bootloader with their 'Microsoft Corporation UEFI CA'. When the system boots and Secure Boot is enabled, firmware verifies that this 1st stage bootloader (from the 'shim-signed' package) is signed with a key in DB (in this case 'Microsoft Corporation UEFI CA')
The second stage bootloader (grub-efi-amd64-signed) is signed with Canonical's 'Canonical Ltd. Secure Boot Signing' key. The shim 1st stage bootloader verifies that the 2nd stage grub2 bootloader is properly signed.
The 2nd stage grub2 bootloader boots an Ubuntu kernel (as of 2012/11, if the kernel (linux-signed) is signed with the 'Canonical Ltd. Secure Boot Signing' key, then grub2 will boot the kernel which will in turn apply quirks and call ExitBootServices. If the kernel is unsigned, grub2 will call ExitBootServices before booting the unsigned kernel)

Actually, the way Ubuntu does it is twofold: The grub bootloader is signed by a Canonical signing key (specifically, the common name is "Canonical Ltd. Secure Boot Signing"), and they have a signed 'shim' which is signed by Microsoft's UEFI key (bootx64.efi) which loads grub.
The way it's set up tells the secure boot system to allow the Canonical signing key, letting there be a full chain all the way.

This essentially means that Canonical (and thus the grub2-signed project) has access to a key which can be used to sign EFI binaries for secure boot, and thus it stands to reason that all grub modules can and should be signed with it at the same time as the main grub binary. I'd also like to note that the fwupdate-signed package's 'fwupx64.efi' binary is signed by the same key as the grub project, so there shouldn't be any 'we can only sign this one specific binary with this key' rules.
The mechanism used for module signing in GRUB postdates us setting up image signing for UEFI Secure Boot, and we've never got round to working out how the two might interact. (For instance, they use entirely different key formats.) This also means that we can confine the set of GRUB modules that could cause a Secure Boot compromise to a smaller set. You can certainly raise bugs asking for additional modules to be added.



sbsign signs EFI files
openssl genrsa -out test-key.rsa 2048
openssl req -new -x509 -sha256 -subj '/CN=test-key' -key test-key.rsa -out test-cert.pem
openssl x509 -in test-cert.pem -inform PEM -out test-cert.der -outform DER
For now, we'll just sign the regular GRUB2 image:
sbsign --key test-key.rsa --cert test-cert.pem --output grubx64.efi 



MISC NOTES/Links



Collection of useful info about grub2

build uefi grub2http://blog.fpmurphy.com/2011/06/boot-fedora-15-using-uefi-and-grub2.html


















sudo su - for elevated rights

for ubuntu: apt get install bison flex autoconf libdevmapper-dev
git clone git://git.savannah.gnu.org/grub
cd grub


old:
sudo apt-get install bison libopts25 libselinux1-dev autogen m4 autoconf help2man libopts25-dev flex libfont-freetype-perl automake autotools-dev freetype2-demos texinfo efibootmgr

sudo apt-get install build-essential autoconf automake
sudo apt-get build-dep grub-efi-amd64

sudo apt-get install gcc flex bison flex binutils gettext make python autoconf automake autogen grub-common libdevmapper-dev lsb-base libfuse2 zfs-fuse fuse-zip libfuse2 grub-common grub-efi-amd64
sudo apt install grub-efi-ia32-bin grub-efi-amd64-bin grub-pc-bin grub2-common grub-efi-amd64-signed


read text file install for instructions on how to build grub2

linux commands

I use grub 2.02 Beta 3 on Mint
make distclean
./autogen.sh
./configure --target=x86_64 --with-platform=efi
make

if no .mod files creeated in grub-core folder, use apt get install for missing package.
e.g. moddep.lst missing error.


(apt-get 
  cat << 'EOF'
  search --set=root --fs-uuid 1234-ABCD
  set prefix=($root)/EFI/BOOT
  EOF
) > grub-buildin.cfg


./grub-mkimage -d ./grub-core -o bootx64.efi -O x86_64-efi -c ./grub-buildin.cfg -p /foobar $(find . -name '*.mod' | tr '\n' ' ' | sed -e 's/\.mod//g')
./grub-mkimage -d ./grub-core -o bootx64.efi -O x86_64-efi -c ./grub-buildin.cfg -p /foobar biosdisk part_msdos fat ntfs exfat configfile ls echo cpuid loopback regexp read bsd probe ext2

grub-mkimage --prefix /AIO/grub2 --output core.img --format i386-pc --compression auto --config load.cfg biosdisk part_msdos ext2 fat ntfs search_fs_file
grub-mkimage --prefix /AIO/grub2 --output bootx64.efi --format x86_64-efi --compression auto --config load.cfg part_gpt part_msdos ext2 fat ntfs hfsplus search_fs_file
grub-mkimage --prefix /AIO/grub2 --output bootia32.efi --format i386-efi --compression auto --config load.cfg part_gpt part_msdos ext2 fat ntfs hfsplus search_fs_file


other useful modules to add: loopback regexp read echo bsd probe configfile echo search_fs_uuid 
./configure --with-platform=efi
./configure --target=i386 --with-platform=efi
./configure --with-platform=pc

modules
'acpi' 'adler32' 'affs' 'afs' 'ahci' 'all_video' 'aout' 'appleldr' 'archelp' 'ata' 'at_keyboard' 'backtrace' 'bfs' 'bitmap' 'bitmap_scale' 'blocklist' 'boot' 'bsd' 'bswap_test' 'btrfs' 'bufio' 'cat' 'cbfs' 'cbls' 'cbmemc' 'cbtable' 'cbtime' 'chain' 'cmdline_cat_test' 'cmp' 'cmp_test' 'configfile' 'cpio_be' 'cpio' 'cpuid' 'crc64' 'cryptodisk' 'crypto' 'cs5536' 'ctz_test' 'datehook' 'date' 'datetime' 'diskfilter' 'disk' 'div' 'div_test' 'dm_nv' 'echo' 'efifwsetup' 'efi_gop' 'efinet' 'efi_uga' 'ehci' 'elf' 'eval' 'exfat' 'exfctest' 'ext2' 'extcmd' 'fat' 'file' 'fixvideo' 'font' 'fshelp' 'functional_test' 'gcry_arcfour' 'gcry_blowfish' 'gcry_camellia' 'gcry_cast5' 'gcry_crc' 'gcry_des' 'gcry_dsa' 'gcry_idea' 'gcry_md4' 'gcry_md5' 'gcry_rfc2268' 'gcry_rijndael' 'gcry_rmd160' 'gcry_rsa' 'gcry_seed' 'gcry_serpent' 'gcry_sha1' 'gcry_sha256' 'gcry_sha512' 'gcry_tiger' 'gcry_twofish' 'gcry_whirlpool' 'geli' 'gettext' 'gfxmenu' 'gfxterm_background' 'gfxterm_menu' 'gfxterm' 'gptsync' 'gzio' 'halt' 'hashsum' 'hdparm' 'hello' 'help' 'hexdump' 'hfs' 'hfspluscomp' 'hfsplus' 'http' 'iorw' 'iso9660' 'jfs' 'jpeg' 'keylayouts' 'keystatus' 'ldm' 'legacycfg' 'legacy_password_test' 'linux16' 'linux' 'loadbios' 'loadenv' 'loopback' 'lsacpi' 'lsefimmap' 'lsefi' 'lsefisystab' 'lsmmap' 'ls' 'lspci' 'lssal' 'luks' 'lvm' 'lzopio' 'macbless' 'macho' 'mdraid09_be' 'mdraid09' 'mdraid1x' 'memdisk' 'memrw' 'minicmd' 'minix2_be' 'minix2' 'minix3_be' 'minix3' 'minix_be' 'minix' 'mmap' 'morse' 'mpi' 'msdospart' 'mul_test' 'multiboot2' 'multiboot' 'nativedisk' 'net' 'newc' 'nilfs2' 'normal' 'ntfscomp' 'ntfs' 'odc' 'offsetio' 'ohci' 'part_acorn' 'part_amiga' 'part_apple' 'part_bsd' 'part_dfly' 'part_dvh' 'part_gpt' 'part_msdos' 'part_plan' 'part_sun' 'part_sunpc' 'parttool' 'password' 'password_pbkdf2' 'pata' 'pbkdf2' 'pbkdf2_test' 'pcidump' 'play' 'png' 'priority_queue' 'probe' 'procfs' 'progress' 'raid5rec' 'raid6rec' 'random' 'read' 'reboot' 'regexp' 'reiserfs' 'relocator' 'romfs' 'scsi' 'search_fs_file' 'search_fs_uuid' 'search_label' 'search' 'serial' 'setjmp' 'setjmp_test' 'setpci' 'sfs' 'shift_test' 'signature_test' 'sleep' 'sleep_test' 'spkmodem' 'squash4' 'syslinuxcfg' 'tar' 'terminal' 'terminfo' 'test_blockarg' 'testload' 'test' 'testspeed' 'tftp' 'tga' 'time' 'trig' 'tr' 'true' 'udf' 'ufs1_be' 'ufs1' 'ufs2' 'uhci' 'usb_keyboard' 'usb' 'usbms' 'usbserial_common' 'usbserial_ftdi' 'usbserial_pl2303' 'usbserial_usbdebug' 'usbtest' 'verify' 'video_bochs' 'video_cirrus' 'video_colors' 'video_fb' 'videoinfo' 'video' 'videotest_checksum' 'videotest' 'xfs' 'xnu' 'xnu_uuid' 'xnu_uuid_test' 'xzio' 'zfscrypt' 'zfsinfo' 'zfs'
grub-mkstandalone -O x86_64-efi -o mygrub.efi

tips

linux find a file - find . -name '*.xml'
list files ls -l -R /filepath

misc

UEFI shim loader git https://github.com/mjg59/shim
grub2 HowTo UEFI&GPT http://lukeluo.blogspot.co.uk/2013/06/grub-how-to-3-uefi-and-gpt.html


core.img - first sectors

Sometimes I need a minimal boot-able Linux USB stick for rescue purpose, especially when I screw up my grub configuration on my desktop. This USB stick could also be used as a disk when you are using QEMU or other virtual machines. So let us just do it.

1. Make a GPT partition table and an ext4 file system in USB


GPT is the current and future. MBR is fading out. My T400 desktop does not have EFI, but Grub support BIOS+GPT configuration, on the condition that you provide a "GRUB boot partition" in GPT disk. GRUB will copy its "boot.img" to MBR, and "core.img" to this partition, because in a GPT disk, there is no so called "boot gap" between MBR and the first partion. In GPT disk, MBR is followed by GTP headers and first disk partition, no gap allowed. The core.img could not be fill in a gap as in MBR disk, so we must provide a separate partition for core.img to reside. You can refer to Wikipedia for more detail info on MBR/GPT. (
MBR/GPT)

Since Grub core.img will be much less than 1M, so give the "BIOS boot partition" 16M space, which is far more than enough. The left space will be occupied by a "Linux Filesystem" partition.



$ gdisk /dev/sdc
GPT fdisk (gdisk) version 0.8.5

Partition table scan:

MBR: not present
BSD: not present
APM: not present
GPT: not present

Creating new GPT entries.


Command (? for help): ?

...
n add a new partition
o create a new empty GUID partition table (GPT)
p print the partition table
...
Command (? for help): o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y