Grub installation and configuration

Grub installation and configuration

[Emmanuel Beffara]

Hello again,

Continuing on my adventures with installing Guix System on LVM on LUKS with
Grub as bootloader, I would like to suggest a few adujstments to how Grub is
installed in Guix:

- Install the keymaps in the EFI partition like the Grub modules, so that the
  proper keymap is setup early in the boot process.

  In the context of full-disk encryption, this is very important because in
  the current state of things, one has to enter the passphrase using the
  default US layout before the proper keymap can be loaded from the encrypted
  store. One can manage working around that with a bit of training, but having
  to enter a passphrase with an incorrect keymap is objectively a broken
  behaviour.

  Furthermore, when the kernel later requires the passphrase again, it has to
  be entered in the proper layout. This is inconsistent.

- Set the terminal_output before any user input is required (and in particular
  the passphrase request), for proper interaction.

  In my case, the laptop has a HiDPI display and Grub starts with a nice
  terminal in 3840x2160 resolution with very small characters. Not only is
  it unreadable, but Grub is also known to be extremely slow with high
  resolutions [1], which makes interaction painful.

[1] https://askubuntu.com/questions/1227735/grub-is-extremely-slow-1-second-per-key-input

- Offer the option to put kernels and initrds in the EFI partition (and also
  any resource needed by Grub like the background picture, locales etc), so
  that Grub can be fully functional without decrypting. Apart from solving the
  issue of having to enter the passphrase twice and with different keymaps,
  this would also allow having Guix System in an encrypted partition while
  allowing to boot other systems without requiring its passphrase.

I would love to propose patches for that but I am too much of a beginner with
Guix to be able to do that right now…

-- 
Emmanuel

Re: Grub installation and configuration

[Ludovic Courtès]

Hi Emmanuel,

Emmanuel Beffara <manu@beffara.org> skribis:

> - Install the keymaps in the EFI partition like the Grub modules, so that the
>   proper keymap is setup early in the boot process.

[...]

> - Set the terminal_output before any user input is required (and in particular
>   the passphrase request), for proper interaction.

[...]

> - Offer the option to put kernels and initrds in the EFI partition (and also
>   any resource needed by Grub like the background picture, locales etc), so
>   that Grub can be fully functional without decrypting. Apart from solving the
>   issue of having to enter the passphrase twice and with different keymaps,
>   this would also allow having Guix System in an encrypted partition while
>   allowing to boot other systems without requiring its passphrase.
>
> I would love to propose patches for that but I am too much of a beginner with
> Guix to be able to do that right now…

All good points!

Maybe what you can do, then, is report each issue to bug-guix@gnu.org
separately and provide guidance for the GRUB side of things: what should
the generated ‘grub.cfg’ look like after each of these points is
addressed?

In return, an experienced Guix person can provide guidance on the Guix
side of things so we converge towards an actual patch set.

Deal?  :-)

Ludo’.

Re: Grub installation and configuration

[Emmanuel Beffara]

De Ludovic Courtès le 07/03/2023 à 17:12:
> Maybe what you can do, then, is report each issue to bug-guix@gnu.org
> separately and provide guidance for the GRUB side of things: what should
> the generated ‘grub.cfg’ look like after each of these points is
> addressed?
> 
> In return, an experienced Guix person can provide guidance on the Guix
> side of things so we converge towards an actual patch set.
> 
> Deal?  :-)

All right! I'm by no means a Grub expert, but I will do my best…

-- 
Emmanuel

Re: Grub installation and configuration

[Vagrant Cascadian]

[-- Attachment #1: Type: text/plain, Size: 2190 bytes --]

On 2023-03-07, Ludovic Courtès wrote:
> Emmanuel Beffara <manu@beffara.org> skribis:
>
>> - Install the keymaps in the EFI partition like the Grub modules, so that the
>>   proper keymap is setup early in the boot process.
>
> [...]
>
>> - Set the terminal_output before any user input is required (and in particular
>>   the passphrase request), for proper interaction.
>
> [...]
>
>> - Offer the option to put kernels and initrds in the EFI partition (and also
>>   any resource needed by Grub like the background picture, locales etc), so
>>   that Grub can be fully functional without decrypting. Apart from solving the
>>   issue of having to enter the passphrase twice and with different keymaps,
>>   this would also allow having Guix System in an encrypted partition while
>>   allowing to boot other systems without requiring its passphrase.
>>
>> I would love to propose patches for that but I am too much of a beginner with
>> Guix to be able to do that right now…
>
> All good points!
>
> Maybe what you can do, then, is report each issue to bug-guix@gnu.org
> separately and provide guidance for the GRUB side of things: what should
> the generated ‘grub.cfg’ look like after each of these points is
> addressed?
>
> In return, an experienced Guix person can provide guidance on the Guix
> side of things so we converge towards an actual patch set.

Kind of related, with EFI you could actually install additional system
generations as entirely separate EFI boot entries
(e.g. /boot/efi/efi/guix-N and /boot/efi/efi/guix-N+1) in case the most
recent grub was broken for some reason.

Space for EFI variables will eventually run out if you have too many of
these, but would at least allow reverting to the last two or three or
maybe more generations of grub and their corresponding configurations.

This might be a violation of EFI specs, as I think you are supposed to
use the vendor name as the directory name, but technically ought to work
just fine.


Someone, who is whistling innocently right now, recently had a few too
many misadventures with EFI, but maybe some good can come of it. :)


live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: Grub installation and configuration

[Felix Lechner via]

Hi Vagrant,

On Tue, Mar 7, 2023 at 2:52 PM Vagrant Cascadian <vagrant@debian.org> wrote:
>
> Kind of related, with EFI you could actually install additional system
> generations as entirely separate EFI boot entries
> (e.g. /boot/efi/efi/guix-N and /boot/efi/efi/guix-N+1) in case the most
> recent grub was broken for some reason.

Great timing! I had the same thought today for unrelated reasons. (I
saw embedded equipment that daisy-chained Grub from U-Boot.) Would we
then ship rEFInd with all installations or just rely on the general
EFI variables mechanism to facilitate the selection of the desired
Grub version by the user?

Kind regards,
Felix Lechner