Page MenuHomePhabricator

Full UEFI support
Open, NormalPublicFEATURE REQUEST

Description

We need to add uefi support
this includes boot from uefi and secureboot

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

syncer created this task.Sep 23 2018, 2:08 PM
c-po added a subscriber: c-po.Sep 23 2018, 5:59 PM

What happens on Hypervisors not supporting UEFI or older Hardware Platforms without UEFI?

I never understood why this is so common as I see not mich benefit.

Most of current distros can boot on legacy systems (e.g. with BIOS) and also UEFI
since many new server platforms switched to uefi we need to cover that.
Most of them can be switched from UEFI to legacy BIOS, however there are devices that not support such change

xrobau added a subscriber: xrobau.EditedSep 23 2018, 9:18 PM

UEFI is not difficult.

SecureBoot *is* difficult, as we're compiling our own kernel, and someone needs to get some signing keys blessed by Microsoft to sign the kernel and modules so they can be loaded by secureboot.

syncer triaged this task as High priority.Sep 25 2018, 1:54 PM
syncer assigned this task to UnicronNL.

I don't think we should support restricted boot. As per MS's own specification, all x86 boards should allow the user to disable it, and to my knowledge, they all do.

@dmbaturin I think you missing purpose, in some environments (e.g. with high-security requirements ) it may be required
if we can we should support it

syncer changed the status of subtask T859: boot from UEFI from Open to In progress.Oct 29 2018, 9:52 AM
syncer renamed this task from UEFI support to Full UEFI support.
syncer lowered the priority of this task from High to Normal.Nov 2 2018, 7:31 PM
pasik added a subscriber: pasik.Mar 12 2019, 6:09 PM
MarkC added a subscriber: MarkC.EditedTue, May 21, 8:52 PM

Just commenting, UEFI boot is now working (tested in hyper-v gen2 VM with 1.2 20190520). Personally, I care from a performance perspective: hyper-v gen2 network adapters greatly outperform the "legacy network adapter" available to gen1, which is a full software emulated NIC.

Secureboot, as @xrobau said, is trickier. You need Microsoft approve a public EV code signing cert for the Microsoft UEFI Certificate Authority. This is what enables distro's to produce signed code that hardware UEFIs and Hyper-V secure boot will support. Once you have a code signing cert, signing builds should be trivial. At the office, we actually sign even simple automation scripts we write up for clients. Overkill, but it made the auditors happy in certain environments. Just need to properly secure the code signing keys from unauthorized use.

Unfortunately, the Microsoft instructions for starting down this path are out of date. https://blogs.technet.microsoft.com/dubaisec/2016/03/14/diving-into-secure-boot/ references https://sysdev.microsoft.com which no longer resolves.

*EDIT: insane grammar fixed