Please help with EFI

tarkhil

tarkhil

It had to be happen one day. I'm installing on a UEFI-only server, luckily it's without Secure Boot.

I've loaded from mfsbsd, installed everything but can't boot from NVMe.

Here's my gpart

Code: 
root@mfsbsd:~ # gpart show
=>        40  3750748768  nda0  GPT  (1.7T)
          40      532480     1  efi  (260M)
      532520         216        - free -  (108K)
      532736  3750215936     2  freebsd-zfs  (1.7T)
  3750748672         136        - free -  (68K)


=>        40  3750748768  nda1  GPT  (1.7T)
          40         216        - free -  (108K)
         256        2048     1  efi  (1.0M)
        2304      530432        - free -  (259M)
      532736  3750215936     2  freebsd-zfs  (1.7T)
  3750748672         136        - free -  (68K)


=>        40  3750748768  diskid/DISK-S64GNNFX503242  GPT  (1.7T)
          40         216                              - free -  (108K)
         256        2048                           1  efi  (1.0M)
        2304      530432                              - free -  (259M)
      532736  3750215936                           2  freebsd-zfs  (1.7T)
  3750748672         136                              - free -  (68K)

(attempts to make something working from different sources)

What's clearly wrong is


Code: 
root@mfsbsd:~ # efibootmgr
BootCurrent: 0000


root@mfsbsd:~ # efibootmgr -c -a -L freebsd1 -l gpt/efi1:/efi/boot/bootx64.efi
efibootmgr: efi_set_variable: Permission denied


and everything I can invent with efibootmgr fails with "permission denied". Googling did not yield much help.
 
Shouldn't the -l option take a correct path as an argument?
And why do you need a boot entry in the first place? You should be able to boot perfectly fine without it if you put the loader in the right place (see uefi(8)), or am I missing something?
 
I think the UEFI on the server doesn't allows changes and it need to set up the boot via the BIOS itself. Some UEFI bios have boot from file option where you can select the .efi file and create the boot order or select the disk.

Anyway for the efibootmgr you need to mount the ESP partition lets say to /tmp and then use something like:

efibootmgr --create --activate --label "FreeBSD" --loader /tmp/ESP/EFI/BOOT/BOOTx64.efi


The path to the loader doesn't matter where is mounted. efibootmgr will pick the GUID from the mount and will create the correct path to the .efi

Your ESP partition on nda1 is with size of 1MB which is not correct. You will need to remove nda1p1 and create it again with the correct size of 260MB and then format it again as fat32 and copy the loader.efi as BOOTx64.efi
 
I've only had that problem on Linux under Virtualbox. Do you have a /dev/efi character device? What does efibootmgr -v say?

The efirt(9) module must be compiled into my kernel (GENERIC), because it's not loaded according to kldstat(8), but I get an error saying it's already loaded if I try to load it manually. I do have the efidev(4) device node. The only thing I see in dmesg is efirtc0.
 
Jose, I don't have any issues with loading /boot/kernel/efirt.ko without option EFIRT:
Code: 
$ fgrep -i efirt /usr/src/sys/amd64/conf/L380
$ kldstat -v | fgrep efi
# kldload efirt
$ kldstat -v | fgrep efi
31    1 0xffffffff82b4d000     45f9 efirt.ko (/boot/kernel/efirt.ko)
        194 efidev
        195 nexus/efirtc
        193 efirt
EDIT: Ah, seems like I misinterpreted your post, so never mind.
 
If ESP to be booted from is properly formatted as FAT (preferrably FAT32) and only proper loader is EFI/BOOT/BOOTx64.EFI in the ESP (in case amd64, as ESP should be formatted as FAT, upper and lower case of filenames does not at all matter), it should boot properly without configuration by efibootmgr(8), as EFI/BOOT/BOOTx64.EFI is the default of UEFI spec.

If you mounted ESP on /boot/efi directory, it should be /boot/efi/EFI/BOOT/BOOTx64.EFI.

Note that the drive you put the loader should be the default boot device of the UEFI firmware configuration.
 
VladiBG said:
I think the UEFI on the server doesn't allows changes and it need to set up the boot via the BIOS itself. Some UEFI bios have boot from file option where you can select the .efi file and create the boot order or select the disk.

Anyway for the efibootmgr you need to mount the ESP partition lets say to /tmp and then use something like:

efibootmgr --create --activate --label "FreeBSD" --loader /tmp/ESP/EFI/BOOT/BOOTx64.efi


The path to the loader doesn't matter where is mounted. efibootmgr will pick the GUID from the mount and will create the correct path to the .efi

Your ESP partition on nda1 is with size of 1MB which is not correct. You will need to remove nda1p1 and create it again with the correct size of 260MB and then format it again as fat32 and copy the loader.efi as BOOTx64.efi
Click to expand...
What's add that I can boot from nda1! It does not boot OS, but I've made it to bootloader.

I've set up nda0p1, and efibootmgr still fails

Code: 
root@mfsbsd:~ # efibootmgr --create --activate --label "FreeBSD" --loader /mnt/efi/boot/BOOTx64.efi
efibootmgr: efi_set_variable: Permission denied

However, I've set up efi partition on disk 1 and everything works!
 
I think your machine doesn't support setting of efi variables. What options do you have in the BIOS as boot device?

Here's example of efibootmgr on HPE server set to boot from Raid5 on P440 controller (FreeBSD with UFS)

Code: 
# efibootmgr -v
Boot to FW : false
BootCurrent: 000c
Timeout    : 2 seconds
BootOrder  : 000C, 000F, 0008, 0009, 0000, 0002, 0001, 0003, 0004, 0005, 0006, 0007, 000A, 000D
+Boot000C* Slot 2 : Smart Array P440 Controller - 838.10 GiB, RAID 5 Logical Drive(Target:0, Lun:0) PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x0)/Scsi(0x0,0x0)
 Boot000F* Windows Boot Manager HD(1,GPT,73f82ac8-cfa9-41ce-b4ef-29c18461555b,0x800,0xf9800)/File(\EFI\Microsoft\Boot\bootmgfw.efi)
 Boot0008* Generic USB Boot UsbClass(0xffff,0xffff,0xff,0xff,0xff)
 Boot0009* Embedded LOM 1 Port 1 : HP Ethernet 1Gb 2-port 361i Adapter - NIC (PXE IPv4)  PciRoot(0x0)/Pci(0x2,0x3)/Pci(0x0,0x0)/MAC(70106fb4ce4a,0x1)/IPv4(0.0.0.0,0x0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)
 Boot0000  Embedded UEFI Shell Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(c57ad6b7-0515-40a8-9d21-551652854e37)
 Boot0002  System Utilities Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(1fd631e5-44e0-2f91-10ab-f88f3568ef30)
 Boot0001  Diagnose Error Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(0849279d-40d5-53ea-e764-2496766f9844)
 Boot0003  Intelligent Provisioning Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(4a433501-ddaa-490b-96b2-04f42d8669b8)
 Boot0004  Boot Menu Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(d3fd6286-43c5-bb8d-0793-07b70aa9de36)
 Boot0005  Network Boot Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(ee8b26b0-37e9-11e1-b86c-0800200c9a66)
 Boot0006  Embedded Diagnostics Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(b57fe6f1-4f49-d46e-4bba-0a8add34d2f3)
 Boot0007  View Integrated Management Log Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(93c92423-d1c6-4286-be67-b76b6671047e)
 Boot000A* Embedded LOM 1 Port 1 : HP Ethernet 1Gb 2-port 361i Adapter - NIC (PXE IPv6)  PciRoot(0x0)/Pci(0x2,0x3)/Pci(0x0,0x0)/MAC(70106fb4ce4a,0x1)/IPv6(0000:0000:0000:0000:0000:0000:0000:0000,0x0,Static,0000:0000:0000:0000:0000:0000:0000:0000,0x40,0000:0000:0000:0000:0000:0000:0000:0000)
 Boot000D* Slot 2 : Smart Array P440 Controller - 931.48 GiB, RAID 1 Logical Drive(Target:0, Lun:1) PciRoot(0x0)/Pci(0x1,0x0)/Pci(0x0,0x0)/Sata(0x0,0x0,0x1)

Unreferenced Variables:
 Boot000B* Front USB 2 : JetFlash Mass Storage Device PciRoot(0x0)/Pci(0x1d,0x0)/USB(0x0,0x0)/USB(0x4,0x0)
 Boot000E  Trigger ready-to-boot event Fv(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(4affaab0-1376-44b4-9c6e-e92388751bc6)
 
There could be some firmware option to enable/disable configuring boot manager from OS. Possibly difficult to find, though. Not sure this is the case or not.
 
tarkhil said:
It had to be happen one day. I'm installing on a UEFI-only server, luckily it's without Secure Boot.

I've loaded from mfsbsd, installed everything but can't boot from NVMe.

Here's my gpart

Code: 
root@mfsbsd:~ # gpart show
=>        40  3750748768  nda0  GPT  (1.7T)
          40      532480     1  efi  (260M)
      532520         216        - free -  (108K)
      532736  3750215936     2  freebsd-zfs  (1.7T)
  3750748672         136        - free -  (68K)


=>        40  3750748768  nda1  GPT  (1.7T)
          40         216        - free -  (108K)
         256        2048     1  efi  (1.0M)
        2304      530432        - free -  (259M)
      532736  3750215936     2  freebsd-zfs  (1.7T)
  3750748672         136        - free -  (68K)


=>        40  3750748768  diskid/DISK-S64GNNFX503242  GPT  (1.7T)
          40         216                              - free -  (108K)
         256        2048                           1  efi  (1.0M)
        2304      530432                              - free -  (259M)
      532736  3750215936                           2  freebsd-zfs  (1.7T)
  3750748672         136                              - free -  (68K)

(attempts to make something working from different sources)

What's clearly wrong is


Code: 
root@mfsbsd:~ # efibootmgr
BootCurrent: 0000


root@mfsbsd:~ # efibootmgr -c -a -L freebsd1 -l gpt/efi1:/efi/boot/bootx64.efi
efibootmgr: efi_set_variable: Permission denied


and everything I can invent with efibootmgr fails with "permission denied". Googling did not yield much help.
Click to expand...
It would appear that your BIOS has Secure Boot enabled even though you have disabled it in BIOS settings.

I see this in my HP 840 G5. I can successfully disable secure boot and FreeBSD does boot. On my employer's HP 840 G9, Secure Boot will not successfully disable and FreeBSD will not boot unless it's signed by a M$ key.
 
Jose said:
So there are kernels in the wild that don't have efirt(9) built-in. It's probably worth it for tarkhil to try kldload efirt and see if the situation improves.

Do you have a /dev/efi before you kldload efirt?
Click to expand...
This is my stripped-down custom config, but MINIMAL doesn't have this option enabled either. However, this is not worth checking explicitly because:
Code: 
# efibootmgr
efibootmgr: efi variables not supported on this system. kldload efirt?
And no, /dev/efi device appears only after the module has been loaded.
 
cy@ said:
It would appear that your BIOS has Secure Boot enabled even though you have disabled it in BIOS settings.

I see this in my HP 840 G5. I can successfully disable secure boot and FreeBSD does boot. On my employer's HP 840 G9, Secure Boot will not successfully disable and FreeBSD will not boot unless it's signed by a M$ key.
Click to expand...
Got it. I always thought that UEFI is something too complex to be really useful, but we have to live with it.
 
cy@ said:
Secure Boot will not successfully disable and FreeBSD will not boot unless it's signed by a M$ key.
Click to expand...
On that note, it would be great if there were instructions on how to build / configure FreeBSD bootloader and kernel to work with enabled Secure Boot. I have looked, but so far haven't found anything. If somebody knows how to do it, please share.
 
Here you go:
sysutils/sbsigntool/

Oh crap that is old stuff from 2019

FreeBSD UEFI Secure Boot | FreeBSD Foundation

1. Introduction Secure boot provides a way to ensure that only authorized EFI binaries are loaded by a computer's firmware. This ensures that no malicious code can run before the operating system is loaded. This document describes one method of securing FreeBSD's boot process. FreeBSD's regular...
freebsdfoundation.org freebsdfoundation.org

uefisign(8)

man.freebsd.org man.freebsd.org
 
tingo said:
On that note, it would be great if there were instructions on how to build / configure FreeBSD bootloader and kernel to work with enabled Secure Boot. I have looked, but so far haven't found anything. If somebody knows how to do it, please share.
Click to expand...
It's not a matter of instructions but a matter of having the cert you use to sign your kernel and loader signed by M$.
 
cy@ said:
It's not a matter of instructions but a matter of having the cert you use to sign your kernel and loader signed by M$.
Click to expand...
Of course, I wasn't thinking about using the M$ key, I was thinking about using a MOK (Machine Owner Key) - there are tools for both generating and enrolling MOKs. Then it is just a small matter if the firmware on the machine will honor MOKs or not.
 
tingo said:
Of course, I wasn't thinking about using the M$ key, I was thinking about using a MOK (Machine Owner Key) - there are tools for both generating and enrolling MOKs. Then it is just a small matter if the firmware on the machine will honor MOKs or not.
Click to expand...
That probably depends on the BIOS. For example my HP's BIOS is written by HP. They are concerned with supporting Windows only. I have no way to import my own cert. This depends on your vendor's support of importation of user secure boot keys. Mine doesn't yours might. And, it's out of scope for FreeBSD to document how to import a secure boot key for each hardware FreeBSD runs on.

This topic could become a wiki page people might be able to contribute to.
 
I agree about the UEFI / BIOS part.
However the tools needed to generate, enroll and sign the necessary binaries (FreeBSD bootloader and kernel) would run under FreeBSD (granted, I have only used Linux version of these tools so far). tools needed: openssl (this one is in FreeBSD already), mokutil, sbsigntool. Then you use MokManager (mmx64.efi) to actually add you MOK to the UEFI.
FWIW, I tried signing the FreeBSD bootloader and kernel on a machine where I already had the tools, and the Linux part already working. Unfortunately, it did not work with FreeBSD. Maybe there are other parts that needs signing too (kernel modules)?
 
You must log in or register to reply here.
Back
Top