Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
docs:guide-developer:uefi-bootable-image [2018/03/04 01:25] – [Status] Add note about kernel panic when booted on bios mode alive4everdocs:guide-developer:uefi-bootable-image [2021/06/28 13:50] (current) – [Status] replace git commit ID with actual link to the commit fiouz
Line 2: Line 2:
  
 ===== Introduction ===== ===== Introduction =====
-UEFI based systems are becoming more common and it's expected at some time that newer UEFI based system doesn't contain CSM to support legacy bios mode at all.+ 
 +UEFI boot has been required for years now, boards that only support UEFI are commonand Intel has stated back in 2017 that "legacy" BIOS will no longer be supported after 2020. 
 + 
 +https://www.anandtech.com/show/12068/intel-to-remove-bios-support-from-uefi-by-2020 
 + 
 +http://www.uefi.org/sites/default/files/resources/Brian_Richardson_Intel_Final.pdf.
  
 To accommodate this, it's necessary for OpenWrt build system to generate UEFI bootable images. To accommodate this, it's necessary for OpenWrt build system to generate UEFI bootable images.
Line 8: Line 13:
 ===== Status ===== ===== Status =====
  
 +As of OpenWrt ''[[commit>?p=openwrt/openwrt.git;a=commit;h=a6b7c3e672764858fd294998406ae791f5964b4a|a6b7c3e672764858fd294998406ae791f5964b4a]]'', EFI-compatible images are available on the x86-64 [[https://downloads.openwrt.org/snapshots/targets/x86/64/|snapshots]] downloads page.
  
-There are pending commits related to add UEFI bootable OpenWrt under 
-[[https://git.openwrt.org/?p=openwrt/staging/jow.git;a=summary|Jow staging repository]]. 
  
-Beware that the generated uefi gpt image causes kernel panic when booted on bios based system. 
-A fix for this issue is in progress. 
 ===== Building UEFI bootable OpenWrt image ===== ===== Building UEFI bootable OpenWrt image =====
  
-The commits necessary to build uefi bootable OpenWrt image are as follows.+To build an EFI-compatible OpenWrt image:
  
-<code> +    * Run ''make menuconfig''.
-ba837608fb3676ceaf2f463e2efc013e5d232895 tools: add libopt host build +
-3775232366ab903a631379ab7916514286c96e2d tools: add sgdisk host build +
-8752bdcbda84361e91548b2314fbf3c6e3b4d233 Generate EFI grub images for x86 platforms +
-b3bd0031cd8bc59c38b1c4cbb4454a415d464d15 grub: use different build directories per variant +
-</code>+
  
-To build the image, cherry pick those commits, i.e. +    * Go to **Target Images** and make sure that the option **Build GRUB EFI images (Linux x86 or x86_64 host only)** is checked.
- +
-<code bash> +
-$ git remote add jow-staging https://git.openwrt.org/openwrt/staging/jow.git +
-$ git fetch jow-staging +
-$ git checkout -b uefi-capable --track origin/master # so that you can rebase easily +
-$ for commit in \ +
-  ba837608fb3676ceaf2f463e2efc013e5d232895 \ +
-  3775232366ab903a631379ab7916514286c96e2d \ +
-  8752bdcbda84361e91548b2314fbf3c6e3b4d233 \ +
-  b3bd0031cd8bc59c38b1c4cbb4454a415d464d15 \ +
-  ; do \ +
-      git cherry-pick $commmit ; done +
-</code> +
- +
-After cherry-picking those commits, run ''make menuconfig''+
- +
-Go to **Target Images** and make sure that **Build EFI grub images** option is checked.+
  
 Select additional packages as necessary and finally save changes and exit menuconfig. Select additional packages as necessary and finally save changes and exit menuconfig.
Line 48: Line 28:
 Run ''make'' as usual to build the image. Run ''make'' as usual to build the image.
  
-The resulting image will be available as ''bin/targets/x86/64/openwrt-x86-64-uefi-gpt-ext4.img.gz'', which can be written to disk after decompression.+The resulting image(s) will be available in ''./bin/targets/x86/64/'' (depending on the image format(s) you chose), which can be written to disk after decompression
 + 
 +Note that these are **disk images**, not partition images, which must be written to a block device directly e.g. ''/dev/sdb''.
  
 ===== UEFI Secure Boot ===== ===== UEFI Secure Boot =====
Line 57: Line 39:
  
 The related packages feed repository contains stuffs needed to sign efi binaries, i.e. gnu-efi and sbsigntool and stuffs to manipulate efi variables, i.e. efivar, efibootmgr, and efitools. The related packages feed repository contains stuffs needed to sign efi binaries, i.e. gnu-efi and sbsigntool and stuffs to manipulate efi variables, i.e. efivar, efibootmgr, and efitools.
 +
 +<code bash>
 +# Add the development git repository
 +$ git remote add devrepo https://github.com/alive4ever/openwrt
 +$ git fetch devrepo
 +$ git checkout feature-uefi-secure-boot
 +
 +# Configure the corresponding package repository
 +$ echo 'src-git packages https://github.com/alive4ever/packages;feature-uefi-secure-boot' > ./feeds.conf
 +$ ./scripts/feeds clean
 +$ ./scripts/feeds update packages
 +$ ./scripts/feeds update -i
 +$ ./scripts/feeds install -a
 +
 +# Now, configure the build system
 +# Select x86 as Target, x86_64 as Subtarget
 +# make sure to select 'Sign EFI executable binaries' under 'Target Images'
 +# UEFI related tools are available under Utilities section,
 +# which consist of efitools, efibootmgr, efivar, and sbsigntool
 +$ make menuconfig
 +
 +# The certificate and key need to be generated
 +# to perform uefi binary signing
 +$ OLD_UMASK=$(umask)
 +$ umask 077
 +$ openssl req -new -x509 -sha256 \
 +  -days 90 -out ./db.crt \
 +  -subj '/CN=secure boot signing certificate' \
 +  -newkey rsa:2048 -nodes \
 +  -keyout ./db.key
 +$ umask $OLD_UMASK
 +
 +# run make to generate UEFI secure bootable OpenWrt image
 +$ make
 +
 +</code>
 +
 +Remember to import ''db.crt'' (which may needs to be converted into DER or other format) into ''db'' UEFI variable to securely boot the resulting image.
  
  
  • Last modified: 2018/03/04 01:25
  • by alive4ever