[…]Forcing GRUB installation to EFI removable media path does basically the same thing as when Ubuntu installer asks you if you want to force UEFI installation: it installs to the removable media path in the ESP (EFI System Partition). This is fine for environment where no other operating system is present. However if there is another operating system present on the device which depends on this fallback location “removable media path” it will make this system temporary unbootable (you can manually configure GRUB later to boot it if necessary though). Windows installer for example *also* installs to the removable media path in the ESP. All OS installers installing things to this removable media path will conflict with any other such installers and that’s why in Debian (and Ubuntu) installers don’t do this by default. You explicitly have to select UEFI mode during the normal installation (what I did).[…]
Adolfo V Aguayo of Intel announced the version 2.2 release of OpenCIT.
New Features in 2.2:
– TPM 2.0 support.
+ Added support for platform and asset tag attestation of Linux and Windows hosts with TPM 2.0.
+ Support attestation of either SHA1 or SHA256 PCR banks on TPM 2.0.
+ Ubuntu 16.04 and RHEL 7.2, 7.3 (SHA1 and SHA256), Windows Server 2012 and Hyper-V Server 2012 (SHA1) are supported with TPM 2.0
– All the certificates and hashing algorithms used in CIT are upgraded to use SHA256. SHA1 has been deprecated and will no longer be used.
– CIT Attestation Service UI has been updated to allow the user to select either the SHA1 or SHA256 PCR bank for Attestation of TPM 2.0 hosts.
+ The CIT Attestation Service will automatically choose the strongest available algorithm for attestation (SHA1 for TPM 1.2, and SHA256 for TPM 2.0)
– CIT Attestation Service UI Whitelist tab no longer requires the user to select PCRs when whitelisting, and will automatically choose the PCRs to use based on the host OS and TPM version. This is done to reduce confusion due to differing behaviors between TPM 1.2 and TPM 2.0 PCR usages.
– Additional changes made to support TPM 2.0:
+ Linux hosts with TPM 2.0 will now utilize TPM2.0-TSS (TPM 2.0 Software Stack) and TPM2.0-tools instead of the legacy trousers and tpm-tools packages. The new TSS2 and TPM2.0-tools are packaged with the CIT Trust Agent installer.
+ TPM 2.0 Windows hosts use TSS.MSR (The TPM Software Stack from Microsoft Research) PCPTool.
+ TPM 1.2 hosts will continue to use the legacy TSS stack (trousers) and tpm-tools components.
For more information, see the full announcement on the firstname.lastname@example.org mailing list.
Bin Meng posted an 18-part patch to the SeaBIOS list, fixing multiple issues that may impact the installation of Ubuntu (only Ubuntu and no other Linux distros??) and Windows:
[PATCH v2 00/18] x86: acpi: Support installation of Ubuntu/Windows and boot Windows
SeaBIOS can be loaded by U-Boot to aid the installation of Ubuntu and Windows to a SATA drive and boot from there. But till now this is broken. The installation either hangs forever or just crashes. This series fixed a bunch of issues that affect the installation of Ubuntu and Windows, and booting Windows.
Testing was performed on MinnowMax by:
– Install Ubuntu 14.04 and boot
– Install Windows 8.1 and boot
– Install Windows 10 and boot
This series is available at u-boot-x86/acpi2-working.
Changes in v2:
– New patch to remove the unnecessary checksum calculation of DSDT
– New patch to remove header length check when writing tables
– New patch to enable SeaBIOS on all boards
– New patch to add GPIO ASL description
Bin Meng (18):
x86: minnowmax: Adjust U-Boot environment address in SPI flash
x86: Call board_final_cleanup() in last_stage_init()
x86: Fix up PIRQ routing table checksum earlier
x86: Compile coreboot_table.c only for SeaBIOS
x86: Prepare configuration tables in dedicated high memory region
x86: Unify reserve_arch() for all x86 boards
x86: Reserve configuration tables in high memory
x86: Use high_table_malloc() for tables passing to SeaBIOS
x86: acpi: Switch to ACPI mode by ourselves instead of requested by OSPM
x86: acpi: Remove the unnecessary checksum calculation of DSDT
x86: acpi: Remove header length check when writing tables
x86: doc: Update information about IGD with SeaBIOS
x86: baytrail: Enable SeaBIOS on all boards
x86: doc: Mention Ubuntu/Windows installation and boot support
acpi: Quieten IASL output when ‘make -s’ is used
x86: baytrail: Add internal UART ASL description
x86: baytrail: Add GPIO ASL description
x86: doc: Add porting hints for ACPI with Windows
For more information, see the U-Boot list:
James Johnson has a project to help make Secure Boot on Ubuntu. Excerpt of readme:
The stock Ubuntu 15.10 installation only implements secure boot just enough to get a Microsoft-signed shim in place. It does nothing to actually secure the boot process. This package can help users do so.
Features of ubuntu-secure-boot:
* Self-signed bootloader files: take control over your boot process by stripping Canonical / Microsoft signatures from your boot files and signing everything yourself.
* Summary of files that are digitally signed and verified during the boot process are:
* GRUB itself (self-signed)
* GRUB configuration (self-signed)
* GRUB modules and other external files (self-signed)
* Linux kernel (self-signed)
* Linux initramfs / initrd (self-signed)
* Linux kernel modules (using existing Canonical signatures)
* Self-signed private keys are stored in /etc/ubuntu-secure-boot/keys and protected by a passphrase.
* UEFI Secure Boot self-signed key pairs are generated and used to sign the self-contained GRUB .efi image. They can be imported into a UEFI firmware to take full control over the secure boot process.
* The secure GRUB image is added as a boot option in EFI firmware.
* Digital signature support in GRUB is enabled to check signatures on any boot file that is loaded from disk. The risk of loading an unsigned file from GRUB is eliminated (e.g. an unsigned kernel).
* GRUB is now deployed as a stand-alone .efi image that contains a memdisk with the full configuration and all loadable modules. This eliminates the risk of tampering with the GRUB configuration.
* GRUB is automatically locked down with a password so that users cannot tamper with boot settings or use advanced boot options.
* Unsigned GRUB files in /boot remaining from the original GRUB packages are completely wiped (but restored upon uninstall of this package).
* Newly-installed kernels are automatically signed whenever they are installed. Existing Canonical .efi signatures in the linux-signed-image-* packages are stripped and replaced with your signature.
* The initramfs is automatically re-signed whenever update-initramfs is run.
* Linux kernel module signing enforcement is automatically enabled by default. This can be controlled from /etc/default/grub.d/ubuntu-secure-boot.cfg.
David Hartsock has a blog post on the state of Ubuntu Secure Boot for those who have not been paying attention to things:
Ubuntu Secure Boot Threatens All PCs
We’re all doomed! Scary, right? Well, maybe, but I should explain a bit first. […]
Chris Hoffman of PCWorld has an article on Ubuntu’s UEFI security: