Problems dual-booting with Grub2-BLS

English Install/Boot/Login
1

Hello !

I’m aiming to use the new Grub2-BLS system (with Slowroll) on my daughter’s new laptop, as it’s told to be more secure (at least, from what I read on recent Opensuse blog posts), and most of all, it seems to be more user-friendly about encrypted disks (as far as I’ve tried, the decryption GUI at boot looks smart, and most of all for a genuine french user, the keyborad layout is well set).

But as I’ll try to keep the windows partition on the disk (just in case…), I’m getting problems for every try I made.

Everything I will describe has been tried on a virtualbox VM with Secureboot and TPM 2 enabled.

First, I tried to install Slowroll along the windows partition, as I ever did before with Grub2-EFI, but contrary to GRub2-EFI, Grub2-BLS implementation doesn’t seem to care at all about os-probing. I finally get only opensuse options in the grub menu when the install is done, no windows boot manager (nor UEFI boot menu and alternatives as I was used to in my previous Grub2-EFI installs).

So, second option, I tried to setup entries in /boot/efi/loader, as told in this post. But it doesn’t change anything, as the system seems to totally ignore any entry with “efi” key in the file, though I feel that what I’m doing is conforming to the bootloader spec, as described here.

Third, after all of these tries, I finally decided to change options and installed rEFInd boot utility so I can choose between Windows and OpenSuse (while the OpenSuse option launches the imperfect Grub menu from BLS). Everything works well… until the first “zypper dup” on the system, because when it’s done, it overwrites the boot order and puts Opensuse shim/grub before the rEFInd entry. And once again, the computer boots on a grub menu without windows boot manager. Setting “UPDATE_NVRAM=no” in /etc/sysconfig/bootloader doesn’t change anything (matter of fact, it’s already set like this), same result for setting “UPDATE_NVRAM=0” in /etc/default/grub

I know I could learn my daughter to mess with the Bios options to reorder things once in a while or to boot windows. Sorry but it’s not a correct use case for her. I don’t understand if I do something wrong or if Grub2-BLS is the culprit (which seems so, but maybe it’s the recent implementation in OpenSuse that isn’t perfect). If so, it really needs to evolve to a more alternative-os-friendly mood…

Anyway, you help will be much appreciated :sweat_smile:

Thanks !

2

You forgot to show them.

3

Well, I suppose that I did precisely what’s in the post I linked (Add a systemd-boot loader Menu entry for a Windows installation using a separate ESP Partition):

1- Installed edk2-shell

2- Copied /usr/lib/edk2/Shell.efi to /boot/efi/shellx64.efi

3- Launched blkid

/dev/mapper/cr_root: UUID="43b5ba65-e95c-464b-ba75-f8ed28f6e3d0" UUID_SUB="ad8f74ca-c8bf-4043-b60a-0c692ec55099" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda4: UUID="59100ee7-f19b-450d-9aa4-0990331d1964" TYPE="crypto_LUKS" PARTUUID="3f0d2e39-7379-4557-9ac0-ddf3e20d2914"
/dev/sda2: PARTLABEL="Microsoft reserved partition" PARTUUID="0c2f6d4c-cc9c-42e3-b486-1469f2dbedb5"
/dev/sda5: UUID="46344bc6-ddc7-4e62-9a60-bff8d773d188" TYPE="swap" PARTUUID="9820eb3c-97ab-44e6-9bf1-b06e8ef3a843"
/dev/sda3: BLOCK_SIZE="512" UUID="AE2A9E3A2A9E000F" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="b9f99cc0-2c28-4c02-b79f-27aa39c33aaa"
/dev/sda1: UUID="8483-49F3" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="3b21b70e-4e9e-42e3-89c7-5a638b036b7a"

4- Switched off Secure Boot and booted shellx64.efi to get the EFI blocks list

Copie d'écran_20250824_083600
Copie d'écran_20250824_083600879×425 11.2 KB

5- Switched Secure boot on again then created /boot/efi/windows.nsh

HD0a65535a1:EFI\Microsoft\Boot\Bootmgfw.efi

6- Created /boot/efi/loader/entries/windows, containing

title  Windows
efi     /shellx64.efi
options -nointerrupt -noconsolein -noconsoleout windows.nsh

7- Rebooted, and got no “Windows” entry in the boot menu

Some more notes :

  • enabling or disabling Secureboot at stage 7 doesn’t change anything
  • changing shellx64.efi to shell.efi at stages 2, 4 and 6 gets no result too
  • trying to edit one of grub entries at boot in order to force “efi /shellx64.efi -nointerrupt -noconsolein -noconsoleout windows.nsh” end with the following error message : “error: …/…/grub-core/script/function.c:119:can’t find command ‘efi’.” - Somehow, it looks like grub2-BLS relies on systemd-boot entries but can’t launch efi commands, so I don’t know how I could change these entries to boot anything else than linux
4

Yes, grubbls (or, more precisely, GRUB2 blscfg/bls_import commands) ignore any BLS entry without linux key. And (open)SUSE grubbls is built to only parse BLS entries, it ignores “normal” grub.cfg.

Pragmatic solution is to use systemd-boot which offers more functionality. In particular, it will (try to) auto-detect Windows EFI bootloader and add it to the menu. TBH I still do not understand the purpose of grubbls when systemd-boot already exists.

There is no abstract security. You need to start with your threat model and what you are protecting against. In particular

you apparently confuse “security” with “convenience”. With grub2-bls/systemd-boot the initrd is unprotected on the ESP. Anyone having physical access to your system can add malware to the initrd (e.g. logging your LUKS passphrase or installing root kit). So, without any further measures the grub2-bls is less secure because it does not protect against at least one class of attacks that the standard grub2-efi does.

5

Thanks Arvidjaar :slight_smile: Well, as far as I understand your answear, there’s no way to get Windows boot manager in grub menu with Grub-BLS, and it might be less secure than Grub-EFI :frowning: And there might be no way to prevent Grub2-BLS from putting itself in the first rank of EFI boot loaders.

Well, it makes me wonder why OpenSuse is promoting this evolution :thinking:

My security case is simple, my daughter is going to use her laptop in different places, some less secure than others, and I want her data to be protected in case the laptop is stolen. Clasical encryption scheme.

From what you said, I’ll give up with convenience, and get back to Grub2-EFI. Besides the good-looking GUI ( :wink:**) the main problem is keyboard layout, as the passphrase will have characters that aren’t on the same place on english and french layouts. But if there’s no way to start with french layout, I might just configure a passphrase with the “corrected” letters, she doesn’t need to know she’s typing “q” while she’s using the “a” key… :joy:

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.