手册:X86/安装/配置系统引导程序Bootloader
选择引导加载程序
完成配置Linux内核、安装系统工具和编辑配置文件之后,现在是时候去安装Linux安装的最后一个重要的部分:引导加载程序。
引导加载程序负责在引导过程中启动内核——若没有引导加载程序,系统将不知道按下电源键后将如何进行。
针对 x86,我们将介绍如何在基于 DOS/传统 BIOS的系统上配置 GRUB 和 LILO,以及针对 UEFI 系统如何配置 GRUB 和 efibootmgr。
在本手册的这一部分中,描述了 "emerging" 引导加载程序包和 "installing" 引导加载程序到系统磁盘之间的区别。 这里,术语 "emerging" 将用于请求 Portage 使软件包安装于系统。 术语 "installing" 将表示引导加载程序复制文件或物理地修改系统的磁盘驱动器的适当部分,以便在下一次开机时使引导加载程序“激活并准备好操作”。
默认:GRUB
默认情况下,Gentoo 系统现在主要依赖于 GRUB(在sys-boot/grub 包中),它是 GRUB Legacy 的继任者。无需额外配置,GRUB 就能支持旧的BIOS("pc") 系统。 在安装之前加上少量的配置,GRUB 可以支持超过一半的平台。 有关详细信息,请参阅位于 GRUB 的准备章节。
Emerge
当使用只支持MBR分区表的旧版BIOS系统时,无需进行其他配置即可安装GRUB:
root #
emerge --ask --verbose sys-boot/grub
UEFI用户注意:运行上述命令将在出现之前输出启用的GRUB_PLATFORMS 值。 当使用支持UEFI的系统时,用户需要确保启用 GRUB_PLATFORMS="efi-64"
参数(默认情况下是这样)。 如果设置不是这样,则需要在安装 GRUB 之前将 GRUB_PLATFORMS="efi-64"
添加到/etc/portage/make.conf:
root #
echo 'GRUB_PLATFORMS="efi-64"' >> /etc/portage/make.conf
root #
emerge --ask sys-boot/grub
如果 GRUB 在未先添加 GRUB_PLATFORMS="efi-64"
到 make.conf 时就已经 emerge 过了,可以添加这一行(像上面显示那样)然后可以通过 --update --newuse
options to emerge 选项来重新计算 world package set :
root #
emerge --ask --update --newuse --verbose sys-boot/grub
GRUB 现在已经安装到系统中了,但是他还没有成为辅助引导加载程序(SBL)。
安装
接下来,通过grub-install命令安装 GRUB 所需的文件到/boot/grub/目录。假设第一块磁盘(引导系统的那块)是/dev/sda,将使用下面的一条命令:
DOS/传统 BIOS 系统
针对 DOS/传统 BIOS 系统:
root #
grub-install /dev/sda
EFI 系统
确保 EFI 系统分区在运行 grub-install 之前就已经挂载。否则它可能会把 grub-install 安装的 GRUB EFI 文件(grubx64.efi到错误的目录,并且不会提供任何辨识使用错误目录的信息。
针对 EFI 系统:
root #
grub-install --target=x86_64-efi --efi-directory=/efi
Installing for x86_64-efi platform. Installation finished. No error reported.
Upon successful installation, the output should match the output of the previous command. If the output does not match exactly, then proceed to Debugging GRUB, otherwise jump to the Configure step.
Optional: Secure Boot
To successfully boot with secure boot enabled the signing certificate must either be accepted by the UEFI firmware, or shim must be used as a pre-loader. Shim is pre-signed with the third-party Microsoft Certificate, accepted by default by most UEFI motherboards.
How to configure the UEFI firmware to accept custom keys depends on the firmware vendor, which is beyond the scope of the handbook. Below is shown how to setup shim instead. Here it is assumed that the user has already followed the instructions in the previous sections to generate a signing key and to configure portage to use it. If this is not the case please return first to the Kernel installation section.
The package sys-boot/grub installs a prebuilt and signed stand-alone EFI executable if the secureboot USE flag is enabled. Install the required packages and copy the stand-alone grub, Shim, and the MokManager to the same directory on the EFI System Partition. For example:
root #
emerge sys-boot/grub sys-boot/shim sys-boot/mokutil sys-boot/efibootmgr
root #
cp /usr/share/shim/BOOTX64.EFI /efi/EFI/Gentoo/shimx64.efi
root #
cp /usr/share/shim/mmx64.efi /efi/EFI/Gentoo/mmx64.efi
root #
cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/Gentoo/grubx64.efi
Next register the signing key in shims MOKlist, this requires keys in the DER format, whereas sbsign and the kernel build system expect keys in the PEM format. In the previous sections of the handbook an example was shown to generate such a signing PEM key, this key must now be converted to the DER format:
root #
openssl x509 -in /path/to/kernel_key.pem -inform PEM -out /path/to/kernel_key.der -outform DER
The path used here must be the path to the pem file containing the certificate belonging to the generated key. In this example both key and certificate are in the same pem file.
Then the converted certificate can be imported into Shims MOKlist, this command will ask to set some password for the import request:
root #
mokutil --import /path/to/kernel_key.der
When the currently booted kernel already trusts the certificate being imported, the message "Already in kernel trusted keyring." will be returned here. If this happens, re-run the above command with the argument --ignore-keyring added.
Next, register Shim with the UEFI firmware. In the following command, boot-disk
and boot-partition-id
must be replaced with the disk and partition identifier of the EFI system partition:
root #
efibootmgr --create --disk /dev/boot-disk --part boot-partition-id --loader '\EFI\Gentoo\shimx64.efi' --label 'GRUB via Shim' --unicode
Note that this prebuilt and signed stand-alone version of grub reads the grub.cfg from a different location then usual. Instead of the default /boot/grub/grub.cfg the config file should be in the same directory that the grub EFI executable is in, e.g. /efi/EFI/Gentoo/grub.cfg. When sys-kernel/installkernel is used to install the kernel and update the grub configuration then the GRUB_CFG environment variable may be used to override the usual location of the grub config file.
For example:
root #
grub-mkconfig -o /efi/EFI/Gentoo/grub.cfg
Or, via installkernel:
/etc/env.d/99grub
GRUB_CFG=/efi/EFI/Gentoo/grub.cfg
root #
env-update
The import process will not be completed until the system is rebooted. After completing all steps in the handbook, restart the system and Shim will load, it will find the import request registered by mokutil. The MokManager application will start and ask for the password that was set when creating the import request. Follow the on-screen instructions to complete the import of the certificate, then reboot the system into the UEFI menu and enable the Secure Boot setting.
调试 GRUB
When debugging GRUB, there are a couple of quick fixes that may result in a bootable installation without having to reboot to a new live image environment.
In the event that "EFI variables are not supported on this system" is displayed somewhere in the output, it is likely the live image was not booted in EFI mode and is presently in Legacy BIOS boot mode. The solution is to try the removable GRUB step mentioned below. This will overwrite the executable EFI file located at /EFI/BOOT/BOOTX64.EFI. Upon rebooting in EFI mode, the motherboard firmware may execute this default boot entry and execute GRUB.
- 重要
如果 grub-install 返回了一个错误,类似Could not prepare Boot variable: Read-only file system
,那么为了成功安装,可能必须需要将 efivars 重新挂载为读写:root #
mount -o remount,rw,nosuid,nodev,noexec --types efivarfs efivarfs /sys/firmware/efi/efivars
root #
mount -o remount,rw,nosuid,nodev,noexec --types efivarfs efivarfs /sys/firmware/efi/efivars
This is caused by certain non-official Gentoo environments not mounting the special EFI filesystem by default. If the previous command does not run, then reboot using an official Gentoo live image environment in EFI mode.
一些主板制造商似乎只支持EFI系统分区(ESP)中.EFI文件的 /efi/boot/目录。 GRUB安装程序可以使用 --removable
选项自动执行此操作。 在运行以下命令之前验证是否已安装ESP。 假设ESP安装在/boot(如前所述),执行:
root #
grub-install --target=x86_64-efi --efi-directory=/efi --removable
这将创建UEFI规范定义的默认目录,然后将 grubx64.efi 文件复制到由同一规范定义的“默认”EFI文件位置。
配置
接下来,基于用户在/etc/default/grub文件和/etc/grub.d中特别配置的脚本文件来生成 GRUB。在大多数场景中,不需要由用户来配置,GRUB 就可以自动检测出哪个内核用于引导(位于/boot/中最高的那一个)以及根文件系统是什么。也可以使用GRUB_CMDLINE_LINUX>变量在/etc/default/grub中附加内核参数。
要生成最终的 GRUB 配置,运行grub-mkconfig命令:
root #
grub-mkconfig -o /boot/grub/grub.cfg
Generating grub.cfg ... Found linux image: /boot/vmlinuz-6.6.21-gentoo Found initrd image: /boot/initramfs-genkernel-x86-6.6.21-gentoo done
需要注意至少找到一个Linux镜像在命令的输出中,它们是用来引导系统的。如果使用一个initramfs或用genkernel建立内核,同样会检测到正确的initrd 镜像。如果不是这样,进入到/boot/并使用ls命令检查内容。如果文件确实不存在,回到内核配置和安装的介绍。
os-prober 工具可与 GRUB 配合使用,以检测所连接驱动器上的其他操作系统。可检测到 Windows 7, 8.1, 10 和其他 Linux 发行版。 那些希望双引导系统的应该出现 sys-boot/os-prober 包,然后重新运行 grub-mkconfig 命令(如上所示)。 如果遇到问题,请务必先阅读 GRUB 文章,然后再向Gentoo社区请求支持。
备选 4: systemd-boot
Another option is systemd-boot, which works on both OpenRC and systemd machines. It is a thin chainloader and works well with secure boot.
Emerge
To install systemd-boot, enable the boot USE flag and re-install sys-apps/systemd (for systemd systems) or sys-apps/systemd-utils (for OpenRC systems):
/etc/portage/package.use/systemd-boot
sys-apps/systemd boot
sys-apps/systemd-utils boot
root #
emerge --ask sys-apps/systemd
Or
root #
emerge --ask sys-apps/systemd-utils
Installation
Now, install the systemd-boot loader to the EFI System Partition:
root #
bootctl install
Make sure the EFI system partition has been mounted before running bootctl install.
When using this bootloader, before rebooting, verify that a new bootable entry exists using:
root #
bootctl list
The kernel command line for new systemd-boot entries is read from /etc/kernel/cmdline or /usr/lib/kernel/cmdline. If neither file is present, then the kernel command line of the currently booted kernel is re-used (/proc/cmdline). On new installs it might therefore happen that the kernel command line of the live CD is accidentally used to boot the new kernel. The kernel command line for registered entries can be checked with:
root #
bootctl list
If no new entry exists, ensure the sys-kernel/installkernel package has been installed with the systemd and systemd-boot USE flags enabled, and re-run the kernel installation.
For the distribution kernels:
root #
emerge --ask --config sys-kernel/gentoo-kernel
For a manually configured and compiled kernel:
root #
make install
When installing kernels for systemd-boot, no root= kernel command line argument is added by default. On systemd systems that are using an initramfs users may rely instead on systemd-gpt-auto-generator to automatically find the root partition at boot. Otherwise users should manually specify the location of the root partition by setting root= in /etc/kernel/cmdline as well as any other kernel command line arguments that should be used. And then reinstalling the kernel as described above.
Optional: Secure Boot
When the secureboot USE flag is enabled, the systemd-boot EFI executable will be signed by portage automatically. Furthermore, bootctl install will automatically install the signed version.
To successfully boot with secure boot enabled the used certificate must either be accepted by the UEFI firmware, or shim must be used as a pre-loader. Shim is pre-signed with the third-party Microsoft Certificate, accepted by default by most UEFI motherboards.
How to configure the UEFI firmware to accept custom keys depends on the firmware vendor, which is beyond the scope of the handbook. Below is shown how to setup shim instead. Here it is assumed that the user has already followed the instructions in the previous sections to generate a signing key and to configure portage to use it. If this is not the case please return first to the Kernel installation section.
root #
emerge --ask sys-boot/shim sys-boot/mokutil sys-boot/efibootmgr
root #
bootctl install --no-variables
root #
cp /usr/share/shim/BOOTX64.EFI /efi/EFI/systemd/shimx64.efi
root #
cp /usr/share/shim/mmx64.efi /efi/EFI/systemd/mmx64.efi
Shims MOKlist requires keys in the DER format, whereas sbsign and the kernel build system expect keys in the PEM format. In the previous sections of the handbook an example was shown to generate such a signing PEM key, this key must now be converted to the DER format:
root #
openssl x509 -in /path/to/kernel_key.pem -inform PEM -out /path/to/kernel_key.der -outform DER
The path used here must be the path to the pem file containing the certificate belonging to the generated key. In this example both key and certificate are in the same pem file.
Then the converted certificate can be imported into Shims MOKlist:
root #
mokutil --import /path/to/kernel_key.der
When the currently booted kernel already trusts the certificate being imported, the message "Already in kernel trusted keyring." will be returned here. If this happens, re-run the above command with the argument --ignore-keyring added.
And finally we register Shim with the UEFI firmware. In the following command, boot-disk
and boot-partition-id
must be replaced with the disk and partition identifier of the EFI system partition:
root #
efibootmgr --create --disk /dev/boot-disk --part boot-partition-id --loader '\EFI\systemd\shimx64.efi' --label 'Systemd-boot via Shim' --unicode '\EFI\systemd\systemd-bootx64.efi'
The import process will not be completed until the system is rebooted. After completing all steps in the handbook, restart the system and Shim will load, it will find the import request registered by mokutil. The MokManager application will start and ask for the password that was set when creating the import request. Follow the on-screen instructions to complete the import of the certificate, then reboot the system into the UEFI menu and enable the Secure Boot setting.
备选 2:efibootmgr
在基于UEFI的系统上,系统上的UEFI固件(换句话说,主引导加载程序)可以直接操作以查找UEFI引导条目。 这样的系统不需要具有额外的(也称为辅助)引导加载器,如GRUB,以帮助引导系统。 据说,基于EFI的引导加载程序(如GRUB)存在的原因是在引导过程中“扩展”UEFI系统的功能。 使用efibootmgr是真正的那些想要采取一个极简主义(虽然更僵硬的)方法来启动他们的系统; 使用GRUB(见上文)对于大多数用户更容易,因为它在引导UEFI系统时提供了灵活的方法。
System administrators who desire to take a minimalist, although more rigid, approach to booting the system can avoid secondary bootloaders and boot the Linux kernel as an EFI stub.
记住sys-boot/efibootmgr应用程序不是一个引导器,它是一个和UEFI固件相互作用并更新它的设置,因为之前安装的Linux内核可以通过额外的选项(如果需要)来引导,或允许多重引导条目。可以通过EFI变量(需要支持EFI变量的内核)来完成这个相互作用。
一定要阅读通过 EFI stub内核文章“'再继续。 内核必须具有能够被系统的UEFI固件直接引导的特定选项。 可能需要重新编译内核。 看看efibootmgr 文章,这也是一个好主意。
It is also a good idea to take a look at the efibootmgr article for additional information.
要重申,efibootmgr 不是引导UEFI系统的要求。Linux内核本身就可以启动即引导,其他内核命令行选项可以内置到Linux内核(有一个内核配置选项 CONFIG_CMDLINE )允许用户指定启动参数作为命令行选项,甚至initramfs 可以“内置”到内核。
安装 efibootmgr 软件:
/etc/portage/package.accept_keywords/installkernel
sys-kernel/installkernel
sys-boot/uefi-mkconfig
app-emulation/virt-firmware
/etc/portage/package.use/installkernel
sys-kernel/installkernel efistub
Then reinstall installkernel, create the /efi directory and reinstall the kernel:
root #
emerge --ask sys-kernel/installkernel
root #
mkdir -p /efi
For distribution kernels:
root #
emerge --ask --config sys-kernel/gentoo-kernel{,-bin}
For manually managed kernels:
root #
make install
创建 /efi 目录,并复制内核文件到这个位置,并命名为 bootx64.efi:
root #
mkdir -p /boot/efi/boot
root #
cp /boot/vmlinuz-* /boot/efi/boot/bootx64.efi
Install the efibootmgr package:
root #
emerge --ask sys-boot/efibootmgr
接下来,告诉UEFI固件创建一个叫作“Gentoo”的引导条目,它拥有全新编译的EFI stub内核:
root #
efibootmgr --create --disk /dev/sda --part 2 --label "Gentoo" --loader "\efi\boot\bootx64.efi"
UEFI定义强制要求使用\作为目录分割符。
如果使用一个内存文件系统(initramfs),为它添加相应的引导选项:
root #
efibootmgr -c -d /dev/sda -p 2 -L "Gentoo" -l "\efi\boot\bootx64.efi" initrd='\initramfs-genkernel-x86-6.6.21-gentoo'
Additional kernel command line options may be parsed by the firmware to the kernel by specifying them along with the initrd=... option as shown above.
完成这些变更后,当系统重新启动时,会有一个叫作“gentoo”的引导项。
Unified Kernel Image
If installkernel was configured to build and install unified kernel images. The unified kernel image should already be installed to the EFI/Linux directory on the EFI system partition, if this is not the case ensure the directory exists and then run the kernel installation again as described earlier in the handbook.
To add a direct boot entry for the installed unified kernel image:
root #
efibootmgr --create --disk /dev/sda --part 1 --label "gentoo" --loader "\EFI\Linux\gentoo-x.y.z.efi"
Other Alternatives
For other options that are not covered in the Handbook, see the full list of available bootloaders.
重启系统
退出chroot环境并unmount全部已持载分区。然后敲入一条有魔力的命令来初始化最终的、真实的测试:reboot。
(chroot) livecd #
exit
livecd~#
cd
livecd~#
umount -l /mnt/gentoo/dev{/shm,/pts,}
livecd~#
umount -R /mnt/gentoo
livecd~#
reboot
当别忘了移除 live 镜像,否则可能再次从 live 镜像启动,而不是新安装的 Gentoo 系统!
当重启进全新安装的 Gentoo 环境后,最好进行完成Gentoo安装。