Massive changes ahead – UEFI secure boot soon to be supported
We are working on our first images that work on UEFI secure boot as well as on normal BIOSes. This is quite a challenge, since until now images were prepared with genisoimage and later patched with isohybrid to contain a partition table. This resulted in images that could either written to CD or to USB stick. When written to a USB thumb drive some magic in the initramfs moved ISO filesystem and bootloader and created a new MBR partition table with one empty FAT32 partition at the start of the USB stick. This way the majority of space of a thumb drive could still be used – especially users with drives of 8GB or larger appreciated this feature.
With secure boot, some things are changing: I currently use the combination of LinuxFoundations Preloader and Gummiboot to load on UEFI equipped computers. This costs some 50MB extra space compared to Shim combined with GRUB2, but is a lot more straightforward to implement. To make the ISO reliably boot on UEFI I had to skip genisoimage for xorriso. This currently means your build environment has to be upgraded to Ubuntu 12.04 or – more instructions will follow – you have to build using a self containing image of LessLinux.
Mission accomplished? No, not yet. The ISO images I built in the last days now boot from optical drives on BIOS and UEFI systems, but the isohybrid sticks just boot on BIOS machines. Matthew Garrett and Thomas Schmitt discussed some possibilities of adding UEFI support to isohybrid, Matthew Garret modified isohybrid accordingly, Thomas Schmitt even implemented the whole isohybrid functionality to xorriso. Theoretically with either way the result are images that boot in four ways:
- The El-Torrito-No-Emulation way on BIOS machines (using isolinux.bin on optical drives)
- The MBR-Pointing-To-Isolinux.bin way of the classical isohybrid implementation (on hard disks)
- The El-Torrito-Diskimage way on UEFI machines (using the FAT image on opticals drives)
- The GPT way of mapping the FAT image in the ISO9660 to a GPT partition that is marked bootable (on hard disks)
Sadly, number four did not work out using isohybrid from Syslinux 5.02pre3 – the resulting GPT partition is just 19MB instead of the ~53 it should be, so boot via USB stick on UEFI machines fails. I currently do not know if
- I did omit some magical command line options
- a bug in isohybrid or xorriso is responsible for the behaviour
- I ran into a problem cramming all for boot informations into the first 32kB of the image
Of course I will file a bug report with the syslinux developers for this behaviour.
The workaround? Instead of trying to cram all four boot methods in one image there will probably be two images: One ISO for optical drives and a GPT partitioned hard disk image for thumb drives. The image for thumb drives will use three partitions: The first for the ISO, one EXT4 for the BIOS compatible extlinux bootloader and one for the UEFI boot partition – effectively just containing a dd’d copy of the El-Torito image used for UEFI boot from optical drives. This will just add a few lines to the build script and it will even be easy to distribute as a very small xdelta. The option to search for loop files will be changed to examine .img files as well: If one is found that contains an ISO filesystem in the first partition, this is used for boot. This allows magazines to create bootable cover CDs that also contain filesystem images to install on thumb drives using either Win32DiskImager or dd without having to include the container directory and the image file.
Good news for old build environments! The changes mentioned above are just applied if the overlay directory contains a folder “efiimage”. If this folder is missing, it is assumed that the resulting image just has to be bootable on BIOS machines. In this case as before, genisoimage and the isohybrid perl script will be used to build one image that boots from CD/DVD or from USB thumb drive. Expect this option to be removed in some months, but it will make the transition easier for those who are not yet in the need for UEFI bootable images.