reset -c -fwui
There, you have it.
We're full of IT!
Yeah, I have my reasons for this (mostly I commit on Windows, run the builds through GitHub Actions but compile from a non version-controlled Linux, and I don't want to suffer the wastage of yet another lengthy and cumbersome clone of EDK2).
This is mostly taken from https://stackoverflow.com/a/37378302/1069307:
mkdir edk2 git update-index --add --cacheinfo 160000 b158dad150bf02879668f72ce306445250838201 edk2 cat <<EOF >>.gitmodules [submodule "edk2"] path = edk2 url = https://github.com/tianocore/edk2.git EOF
Of course, you should replace the commit hash with whatever current or stable EDK2 commit hash you want to point to.
And with this, you'll have added EDK2 as a submodule of your project without going through a cumbersome clone.
In their typical fashion, unless you know what you're doing, Microsoft made it incredibly difficult to get your hands on a simple basic executable, that they should by all means provide as an easily accessible download, since it's one of the basic brick to try and safeguard a Windows platform.
Well, we know what we're doing, which is to use a very handy technique that we picked up from actual malware, so, from PowerShell:
curl.exe -L -A "Microsoft-Symbol-Server/10.0.0.0" https://msdl.microsoft.com/download/symbols/signtool.exe/910D667173000/signtool.exe -o signtool.exe
It looks like ThunderBird and the EDK2 mailing list don't play too nice together, and you get annoying double line feeds being inserted into patches sent to the list, which are a major pain to deal with. And since I've grown tired of manually having to fix something like this:
Subject: [edk2-platforms][PATCH 1/1] Platform/RaspberryPi: Fix Linux kernel panic on reset/poweroff From: Pete Batard <pete@akeo.ie> Date: 2021.01.05, 14:09 To: devel@edk2.groups.io Commit 94e9fba43d7e132be3c582c676968a7f408072c1 introduced an unconditional call to PcdGet32 after we exit boot services, that produces a kernel panic on Linux reset. This addendum to the previous commit ensures that we only read the PCD and apply the delay while we are still in UEFI, which is what we want anyway as the goal was to fix the storage of NV variables set by the user from within the UEFI firmware interface. Signed-off-by: Pete Batard <pete@akeo.ie> --- Platform/RaspberryPi/Library/ResetLib/ResetLib.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Platform/RaspberryPi/Library/ResetLib/ResetLib.c b/Platform/RaspberryPi/Library/ResetLib/ResetLib.c index 4a50166dd63b..a70eee485ddf 100644 --- a/Platform/RaspberryPi/Library/ResetLib/ResetLib.c +++ b/Platform/RaspberryPi/Library/ResetLib/ResetLib.c @@ -52,13 +52,13 @@ LibResetSystem ( * Only if still in UEFI. */ EfiEventGroupSignal (&gRaspberryPiEventResetGuid); - } - Delay = PcdGet32 (PcdPlatformResetDelay); - if (Delay != 0) { - DEBUG ((DEBUG_INFO, "Platform will be reset in %d.%d seconds...\n", - Delay / 1000000, (Delay % 1000000) / 100000)); - MicroSecondDelay (Delay); + Delay = PcdGet32 (PcdPlatformResetDelay); + if (Delay != 0) { + DEBUG ((DEBUG_INFO, "Platform will be reset in %d.%d seconds...\n", + Delay / 1000000, (Delay % 1000000) / 100000)); + MicroSecondDelay (Delay); + } } DEBUG ((DEBUG_INFO, "Platform %a.\n", (ResetType == EfiResetShutdown) ? "shutdown" : "reset")); -- 2.29.2.windows.2Into this:
Subject: [edk2-platforms][PATCH 1/1] Platform/RaspberryPi: Fix Linux kernel panic on reset/poweroff From: Pete Batard <pete@akeo.ie> Date: 2021.01.05, 14:09 To: devel@edk2.groups.io Commit 94e9fba43d7e132be3c582c676968a7f408072c1 introduced an unconditional call to PcdGet32 after we exit boot services, that produces a kernel panic on Linux reset. This addendum to the previous commit ensures that we only read the PCD and apply the delay while we are still in UEFI, which is what we want anyway as the goal was to fix the storage of NV variables set by the user from within the UEFI firmware interface. Signed-off-by: Pete Batard <pete@akeo.ie> --- Platform/RaspberryPi/Library/ResetLib/ResetLib.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Platform/RaspberryPi/Library/ResetLib/ResetLib.c b/Platform/RaspberryPi/Library/ResetLib/ResetLib.c index 4a50166dd63b..a70eee485ddf 100644 --- a/Platform/RaspberryPi/Library/ResetLib/ResetLib.c +++ b/Platform/RaspberryPi/Library/ResetLib/ResetLib.c @@ -52,13 +52,13 @@ LibResetSystem ( * Only if still in UEFI. */ EfiEventGroupSignal (&gRaspberryPiEventResetGuid); - } - Delay = PcdGet32 (PcdPlatformResetDelay); - if (Delay != 0) { - DEBUG ((DEBUG_INFO, "Platform will be reset in %d.%d seconds...\n", - Delay / 1000000, (Delay % 1000000) / 100000)); - MicroSecondDelay (Delay); + Delay = PcdGet32 (PcdPlatformResetDelay); + if (Delay != 0) { + DEBUG ((DEBUG_INFO, "Platform will be reset in %d.%d seconds...\n", + Delay / 1000000, (Delay % 1000000) / 100000)); + MicroSecondDelay (Delay); + } } DEBUG ((DEBUG_INFO, "Platform %a.\n", (ResetType == EfiResetShutdown) ? "shutdown" : "reset")); -- 2.29.2.windows.2
Here's a quick Python script that'll automate that for you:
import argparse if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('files', type=argparse.FileType('rb+'), nargs='+') args = parser.parse_args() for file in args.files: buffer = bytearray(file.read()) # Delete initial empty line while (buffer[0] == 0x0d) or (buffer[0] == 0x0a): del buffer[0] # Un-split Subject: CC: etc. for i in range(buffer.find(b'\x0d\x0a---')): if (buffer[i] == 0x3a) and (buffer[i+1] == 0x0d) and (buffer[i+2] == 0x0a): del buffer[i+1] buffer[i+1] = 0x20 # Remove double CRLF from chunks i = buffer.find(b'\x0d\x0a@@') while i < len(buffer) - 3: if (buffer[i] == 0x0d) and (buffer[i+1] == 0x0a) and (buffer[i+2] == 0x0d) and (buffer[i+3] == 0x0a): del buffer[i] del buffer[i] i = i + 1 file.seek(0) file.write(buffer) file.truncate()
If you're developing UEFI firmware content, sooner or later you're going to want to dump binary data using the debug facility.
And so, without further ado:
(...) #include <Library/BaseLib.h> #include <Library/PrintLib.h> (...) STATIC VOID DumpBufferHex ( VOID* Buf, UINTN Size ) { UINT8* Buffer = (UINT8*)Buf; UINTN i, j, k; char Line[80] = ""; for (i = 0; i < Size; i += 16) { if (i != 0) { DEBUG ((DEBUG_INFO, "%a\n", Line)); } Line[0] = 0; AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), " %08x ", i); for (j = 0, k = 0; k < 16; j++, k++) { if (i + j < Size) { AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), "%02x", Buffer[i + j]); } else { AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), " "); } AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), " "); } AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), " "); for (j = 0, k = 0; k < 16; j++, k++) { if (i + j < Size) { if ((Buffer[i + j] < 32) || (Buffer[ i + j] > 126)) { AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), "."); } else { AsciiSPrint (&Line[AsciiStrLen (Line)], 80 - AsciiStrLen (Line), "%c", Buffer[i + j]); } } } } DEBUG ((DEBUG_INFO, "%a\n", Line)); }
Say you have the following file.xml
:
<?xml version="1.0" encoding="UTF-8"?> <data> <item name="Item 1" id="0" /> <item name="Item 2" id="1001" /> <item name="Item 3" id="0" /> <item name="Item 4" id="1002" /> <item name="Item 5" id="1005" /> <item name="Item 6" id="0" /> </data>And you want to replace all those
"0"
id
attributes with incremental values.If you have PowerShell, this can be accomplished pretty easily with the following commands:
$xml = New-Object xml $xml.Load("$PWD\file.xml") $i = 2001; foreach ($item in $xml.data.item) { if ($item.id -eq 0) { $item.id = [string]$i; $i++ } } $xml.Save("$PWD\updated.xml")
Now your output (updated.xml
) looks like:
<?xml version="1.0" encoding="UTF-8"?> <data> <item name="Item 1" id="2001" /> <item name="Item 2" id="1001" /> <item name="Item 3" id="2002" /> <item name="Item 4" id="1002" /> <item name="Item 5" id="1005" /> <item name="Item 6" id="2003" /> </data>
Easy-peasy...
usbxhci.sys
, that you want to investigate using Ghidra..pdb
debug symbols for the Windows executable you are analysing..pdb
to be 3 to 5 times larger than the resulting code) this debug information is not usually provided with Windows, unless you are running a Debug/Checked build.symchk.exe
somewhere in C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\
. This is the utility that can connect to the Microsoft's servers to fetch the symbol files, i.e. the compilation .pdb
's that Microsoft has made public.USBXHCI.SYS
- Why Microsoft suddenly decided to YELL ITS NAME is unknown) to some directory. All you need to do to retrieve its associated .pdb
then is issue the command:"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe" /s srv*https://msdl.microsoft.com/download/symbols /ocx .\ USBXHCI.SYS
/s
flag indicates where the symbols should be retrieved from (here the Microsoft's remote server) and the /ocx
flag, followed by a folder, indicates where the .pdb
should be copied (here, the same directory as the one where we have our driver).SYMCHK: FAILED files = 0 SYMCHK: PASSED + IGNORED files = 1
PASSED files
is not zero, and you should find a newly created usbxhci.pdb
in your directory. Neat!FUN_1c003ac90()
function name, into a much more indicative XilRegister_ReadUlong64()
...usbxhci.sys
driver, that can set 64-bit xHCI register accesses to be enacted as two 32-bit ones..pdb
we've just retrieved above, Ghidra helpfully tells you that there does exist a function call at address 1c003ac90
called XilRegister_ReadUlong64
, you are going to be exceedingly interested in having a look at that call:undefined8 XilRegister_ReadUlong64(longlong param_1,undefined8 *param_2) { undefined8 local_30 [6]; local_30[0] = 0; if (*(char *)(*(longlong *)(param_1 + 8) + 0x219) == '\0') { DataSynchronizationBarrier(3,3); if ((*(ulonglong *)(*(longlong *)(param_1 + 8) + 0x150) & 1) == 0) { // 64-bit qword access local_30[0] = *param_2; } else { DataSynchronizationBarrier(3,3); // 2x32-bit dword access local_30[0] = CONCAT44(*(undefined4 *)((longlong)param_2 + 4),*(undefined4 *)param_2); } } else { Register_ReadSecureMmio(param_1,param_2,3,1,local_30); } return local_30[0]; }
if
condition is ultimately encoded as a tbnz
ARM64 instruction. So if we revert that logic, by using a tbz
instead of tbnz
, we should be able to force the failing 64-bit reads to be enacted as 2x32-bit, which may fix our xHCI driver woes...USBXHCI.SYS
and changing the EA 00 00 37
sequence at address 0x03a0d0
to EA 00 00 36
(tbnz
→ tbz
) and, for good measure, do the same for XilRegister_WriteUlong64
at address 0x005b34
, by also changing 0A 01 00 37
into 0A 01 00 36
to reverse the logic. "Yes that'll do".nointegritychecks on
in the BCD. And while we're at it we may want to enable test signing as well. Now, most of the commands you'll see are for the local BCD, but that's not what we are after here, since we want to modify a USB installed version of Windows, where, in our case, the BCD is located at S:\EFI\Microsoft\Boot\BCD
. So the trick to achieving that (from a command prompt running elevated) is:bcdedit /store S:\EFI\Microsoft\Boot\BCD /set {default} testsigning on bcdedit /store S:\EFI\Microsoft\Boot\BCD /set {default} nointegritychecks on
USBXHCI.SYS
to Windows\System32\drivers\
you will still be greeted by an obnoxiousRecovery Your PC/Device needs to be repaired The operating system couldn't be loaded because a critical system driver is missing or contains errors. File: \Windows\System32\drivers\USBXHCI.SYS Error code: 0xc0000221
Oh noes! |
0xc0000221
(STATUS_IMAGE_CHECKSUM_MISMATCH
) error code, is that the optional PE checksum field, used by Windows to validate critical boot executables, has not been updated after we altered USBXHCI.SYS
. Therefore checksum validation fails, and this is precisely what the Windows boot process is complaining about.PEChecksum64.exe
(e.g. from here) and issue the command:D:\Dis\>PEChecksum64.exe USBXHCI.SYS USBXHCI.SYS: Checksum updated from 0x0008D39B to 0x0008D19B
0xc000000f
from winload.exe
(though you can still proceed to full boot from there).USBXHCI.SYS
on a fast USB 3.0 flash drive containing an Raspberry Pi Windows 10 ARM64 installation created using WOR (and if you happen to have the latest EEPROM flashed as well as a version of the Raspberry Pi 4 UEFI firmware that includes this patch, you can actually boot the whole thing straight from USB), and, while we are at it, remove the 1 GB RAM limit that the Pi 4 had to have when booting from USB-C port (since we're not going to use that USB controller), by issuing, from an elevated prompt:bcdedit /store Y:\EFI\Microsoft\Boot\BCD /deletevalue {default} truncatememory
Now, isn't that something? |
Volume D: is formatted as ReFS but ReFS is unable to mount it; ReFS encountered status The volume repair was not successful...
Someone at Microsoft may want to look up the definition of resiliency... |
TcpInput: received a checksum error packet
before giving up on the transfer altogether...URI: http://10.0.0.7/~efi/ubuntu.iso File Size: 916357120 Bytes Downloading...1%
TcpInput: received a checksum error packet TcpInput: Discard a packet TcpInput: received a checksum error packet TcpInput: Discard a packet TcpInput: received a checksum error packet TcpInput: Discard a packet TcpInput: received a checksum error packet TcpInput: Discard a packet TcpInput: received a checksum error packet TcpInput: Discard a packet TcpInput: received a checksum error packet TcpInput: Discard a packet HttpTcpReceiveNotifyDpc: Aborted! Error: Server response timeout.
python3 -m http.server 80
, which is a super convenient command to know as it acts as an HTTP server and serves any content from the current directory through the specified port) appeared to be okay, albeit with the occasional checksum errors. This is suddenly starting to look like a lot of compounded network errors... Could this be related to that Samba issue?tcpdump -i eth0 -vvv tcp | grep incorrect
) and, more importantly, you may find some very relevant articles that point you to the very root of the problem. tcpdump -i eth0 -vvv tcp | grep incorrect
produces loads of checksum errors on the platform you serve content
from, you may want to look into disabling offloading from the network adapter with something like:ethtool -K eth0 rx off tx off
convmv
, which isn't really helpful. Why hasn't anyone crafted a quick PowerShell script to do the same on Windows already?#region Parameters param( # (Optional) The directory [string]$Dir = "." ) #endregion # You'll need to have your console set to CP 65001 AND use NSimSun as your # font if you want any hope of displaying CJK characters in your console... [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $files = Get-ChildItem -File -Path $Dir -Recurse -Name foreach ($f in $files) { $bytes = [System.Text.Encoding]::GetEncoding(1252).GetBytes($f) $nf = [io.path]::GetFileName([System.Text.Encoding]::UTF8.GetString($bytes)) Write-Host "$f" → "$nf" # [$hex] # Must use -LiteralPath else files that contain '[' or ']' in their name produce an error Rename-Item -LiteralPath "$f" -NewName "$nf" } # Produce a "Press any key" message when ran with right click $auxRegKey='\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0\Command' $auxRegVal=(get-itemproperty -literalpath HKLM:$auxRegKey).'(default)' $auxRegCmd=$auxRegVal.Split(' ',3)[2].Replace('%1', $MyInvocation.MyCommand.Definition) if ("`"$($myinvocation.Line)`"" -eq $auxRegCmd) { Write-Host "`nPress any key to exit..." $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown') }
utf8_rename.ps1
in the top directory where you have your misconverted files, and then use Run with PowerShell in the explorer's context menu, you should then see some output like this (provided your console is set to codepage 65001, a.k.a. UTF-8 and that you select a font that actually supports CJK characters, such as NSimSun (Microsoft will really have to explain how they have no trouble displaying CJK with NSimSun but still can't seem/want to do it with Lucida Console):debian-##.#.#-arm64-netinst.iso
, 250 MB).bootcode.bin
, config.txt
, fixup.dat
, start.elf
).RPi3_UEFI_Firmware_v#.##.zip
, 3 MB).DISKPART
on Windows or fdisk
+ mkfs
on Linux is provided in Appendix A at the end of this post.0x0e
(FAT16 with LBA).0xef
(ESP) for the partition type, as the ondie Broadcom bootloader does not support any of those. It must be MBR and type 0x0e
. You can use the command line utilities fdisk
on Linux or DISKPART
on Windows to do that.fdisk
on Linux, you can use a
to set the partition as active.DISKPART
and then type the command active
after selecting the relevant disk and partition.mkfs.vfat /dev/<yourdevice>
(Linux) or format fs=fat quick
in Windows' DISKPART
. The Windows Disk Manager should also be smart enough to use FAT16 instead of FAT32 if you decide to use it to format the partition.*Install
(which should already be the default) and let the Debian installer process start.Alt
-F4
to check the current installation log for details about the error.No Common CD-ROM drive was detected.
Load CD-ROM drivers from removable media
select No
.Manually select a CD-ROM module and device
select Yes
.Module needed for accessing the CD-ROM
select none
.Device file for accessing the CD-ROM
type exactly the following:-t vfat -o rw /dev/mmcblk0p1
Yes
for Load missing firmware from removable media
. If you created the media from that Raspberry Pi 3 firmware archive linked above, the relevant firmware files will be detected under the firmware/
directory.Yes
for each new file..clm_blob
if you don't have it (the Wifi drivers should work without that file), so don't be afraid to select No
here if needed.Partition disks
screen. There, for Partitioning method
select Manual
. You should see something like this:MMC/SD card #1 (mmcblk0) - 16.0 GB SD 2WCGO #1 primary 314.6 MB B K ESP pri/log FREE SPACE
MMC/SD card #1 (mmcblk0) - 16.0 GB SD 2WCGO #1 primary 314.6 MB B fat16 pri/log FREE SPACE
B K ESP
for the first partition, then it means that you didn't partition or format your drive as explained above and you will need to reference Appendix C (Help, I screwed up my partitioning!) to sort you out.FREE SPACE
partition and use the partition manager's menu to create two new primary partitions (one for swap and one for the root file system), until you have something like this:MMC/SD card #1 (mmcblk0) - 16.0 GB SD 2WCGO #1 primary 314.6 MB B K ESP #2 primary 1.0 GB f swap swap #3 primary 14.7 GB f ext4 /
Finish partitioning and write changes to disk
and then Yes
on Write the changes to disks?
and let the installer continue with the base system installation.[!!] Configure the package manager apt-configuration problem An attempt to configure apt to install additional packages from the CD failed.
Continue
. That's because, since we are conducting a net install, we couldn't care less about no longer being to access the "CD-ROM" files after install...Software selection
screen, select any additional software package you wish to install. Note that the "Debian desktop environment" should work out of the box if you decide to install it (though I have only tested Xfce so far). It's probably a good idea to install at least "SSH server".B K ESP
when you entered the partition manager, otherwise see Appendix C) select Continue
to reboot your machine on the Installation complete
prompt.cdrom0
drive on your desktop, which can't seem to be accessible. This is a leftover from the installer process not knowing how to handle the installation media device. You should edit /etc/fstab
to remove it.cups
package, you may get an error while loading modules (systemctl --failed
will report that systemd-modules-load.service
is in failed state). This is all due to the current cups
package trying to load IBM PC kernel modules... on a non PC device. To fix this, simply delete /etc/modules-load.d/cups-filters.conf
and reboot./etc/default/grub
and changing GRUB_CMDLINE_LINUX=""
to GRUB_CMDLINE_LINUX="console=ttyS0,115200"
, and then running update-grub
.GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200 --stop=1"
DISKPART
or mkfs
and do not forget to set the bootable/active flag, else you will afoul of the issue described in Appendix C. C:>diskpart Microsoft DiskPart version 10.0.18362.1 Copyright (C) Microsoft Corporation. On computer: ######## DISKPART> list disk Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 238 GB 0 B * Disk 1 Online 465 GB 1024 KB * Disk 4 Online 4657 GB 1024 KB * Disk 5 Online 4649 GB 0 B * Disk 6 Online 14 GB 14 GB DISKPART> select disk 6 Disk 6 is now the selected disk. DISKPART> clean DiskPart succeeded in cleaning the disk. DISKPART> convert mbr DiskPart successfully converted the selected disk to MBR format. DISKPART> create partition primary size=300 DiskPart succeeded in creating the specified partition. DISKPART> active DiskPart marked the current partition as active. DISKPART> format fs=fat quick 100 percent completed DiskPart successfully formatted the volume. DISKPART> exit Leaving DiskPart... C:>
set id=0e
to force FAT16 LBA), but that shouldn't be needed as DISKPART
should set the appropriate type accordingly./dev/sdf
is your SD/MMC device. Change it in all the commands below to use your actual device.# Delete the primary GPT: dd if=/dev/zero of=/dev/sdf bs=512 count=34 # Delete the backup GPT.: dd if=/dev/zero of=/dev/sdf bs=512 count=34 seek=$((`blockdev --getsz /dev/sdf` - 34))
fdisk
and mkfs
to partition the drive:root@debian:~# fdisk /dev/sdf Welcome to fdisk (util-linux 2.34). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Device does not contain a recognized partition table. Created a new DOS disklabel with disk identifier 0x7d188929. Command (m for help): n Partition type p primary (0 primary, 0 extended, 4 free) e extended (container for logical partitions) Select (default p): p Partition number (1-4, default 1): 1 First sector (2048-31291391, default 2048): Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31291391, default 31291391): +300M Created a new partition 1 of type 'Linux' and of size 300 MiB. Command (m for help): t Selected partition 1 Hex code (type L to list all codes): e Changed type of partition 'Linux' to 'W95 FAT16 (LBA)'. Command (m for help): a Selected partition 1 The bootable flag on partition 1 is enabled now. Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks. root@debian:~# mkfs.vfat -F 16 /dev/sdf1 mkfs.fat 4.1 (2017-01-24) root@debian:~#
-t vfat -o rw /dev/mmcblk0p1
as the CD-ROM device?mount
command line parameters and the Debian installer actually calls mount
behind the scenes and feeds it exactly what we write here. This means we can hijack the device name field to invoke the additional mount
parameters we need./dev/mmcblk0p1
? That's simply name of the device for the first partition (p1) on the SD/MMC media (mmcblk0) as seen by the Linux kernel on a Raspberry Pi.-t vfat
? Because the Debian installer appends fstype=iso9660
to the mount option which prevents automount and forces us to override the file system type.-o rw
? Because the Debian installer won't be able to use the first partition for /boot/efi
otherwise or load the WLAN firmware from the media (you get a device or resource busy
when trying to remount the media).0xef
are not handled by the Broadcom CPU bootloader. And there is nothing you can do about this, because this is a behaviour that's hardcoded in the CPU silicon itself.MMC/SD card #1 (mmcblk0) - 16.0 GB SD 2WCGO #1 primary 314.6 MB B K ESP pri/log FREE SPACE
Installation complete
prompt that asks you to select Continue
to reboot, you need to press Alt
-F2
then Enter to activate a console.chroot /target fdisk /dev/mmcblk0Then press the keys
t
, 1
, e
, w
Alt
-F1
) and select Continue
to reboot0xef
to 0x0e
conversion of your ESP, as the Pi won't boot from that partition otherwise.bootcode.bin
, fixup.bat
and so on from your USB boot media onto the SD ESP partition if you want it to boot (which is the reason why is is much more convenient to just set the ESP and Debian installer on the SD right of the bat, so you don't risk forgetting to copy a file).efi/boot/bootaa64.efi
, which, if left uncorrected, will prevent the system from booting automatically.
Typical display of "Verified" GPG commits in GitHub |
$ gpg --full-generate-key --allow-freeform-uid gpg (GnuPG) 2.2.10-unknown; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keybox '/home/nil/.gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Pete Batard Email address: pete@akeo.ie Comment: You selected this USER-ID: "Pete Batard <pete@akeo.ie>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/nil/.gnupg/trustdb.gpg: trustdb created gpg: key F3E83EBB603AF846 marked as ultimately trusted gpg: directory '/home/nil/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/nil/.gnupg/openpgp-revocs.d/236D8595DE48618C26293122F3E83EBB603AF846.rev' public and secret key created and signed. pub rsa4096 2018-10-31 [SC] 236D8595DE48618C26293122F3E83EBB603AF846 uid Pete Batard <pete@akeo.ie> sub rsa4096 2018-10-31 [E]
C:\msys2\home\<your_user_name>\.gnupg\
.$ gpg --armor --export pete@akeo.ie -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFvZ0+gBEAC7Jkdt3aW5iURti+36suQN9dmhGfVJMEV/Y9giby78wYcq51rj IvJ2AuYEhVgiFwT2hrlKuems0Jsln6wGUULAQXpLMU4XxlyKHwBE3ETXCXWQbzxH rNqerDKNu54M/r3XNCW7r38vwNdYrh656eLccZ/jOH8aSSZ9KkBjJ1wa78tx7YZy +FXXjDbamP3Pu3CPp7Nx3y69FCFm2uYrDkLWqcOvweME9imIqdsLfd5bM+wYclbN QQuZArV7uoQ2xYFlVweaob5U3iUsGUQYuY7x3Mlbz/73wYxuOGUt5n6de3tdefrN V5csD3aJVQKjFWOW2oNzI8Qik9pDie+3XQEfbIVHhgCx9kLVe2MzBaWrnPgk2Epj bIhRheqzvV15iC70QchMrtDzXOcbNhaytggYWPRx1YtEN3G4pPnsVfq0oSdNhwlw VLYm6eK+kjr0PykIANiiDDe/4WiFTIS1mobp++QCFXm41jtfXP6PM3NJdf1Hx5VX CcRQKXmukeyW4DfYtr9GoKeu9G1vGQev1U+qjtOk+9SRrofsqfCqzJP4drjbSyk9 43q9HBYSBjnslisQnrhhcl5/5Yb99+sS2EnpW7am/sarCHGiPkLi6eHfYpbxX7Lg nLXjmXYlpyCkJnkgwzsTUs3+7w2KHaBZ7yme70x2edBD9f1Ar3zm+ryW5QARAQAB tBpQZXRlIEJhdGFyZCA8cGV0ZUBha2VvLmllPokCTgQTAQgAOBYhBCNthZXeSGGM JikxIvPoPrtgOvhGBQJb2dPoAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ EPPoPrtgOvhGUpkQAIHSu7BNo4/jUhtHjBMiiYVE6eJh1J8+lWkXuATCxo3BXrMb AAAdNsrPca09NVdSli3xameKSnWt3hXRpkNM2cAC/Sus8UjYGDaCP1pWNyfmd70y /uAZGf1FIeWL4yIiFcDROobLqlCE+qViWu8sG2Ris8hGA8sjR0cn5891Q/ncHFtE YYHzh0mn+A9I/gGSvArqYJdNNBptGplo2fnQQIODwHNYSPMCzBawFoll6jocjg6q FqlawC5f9zPs5HP9k0k0pp37f8i+ANftCfdwOEWurfBDGqrxKiJIyIaS9kLzwCQX poJGZO/rVbCDGvexfVkqoKMJRK0jO2Rh3p0vifZ2cwKPSFjWfSjUiPAUpcz0nuV5 BSkrMNc1VHgP1FM4v2Vpi7lnaoWMLpVz3VJ8yRyRD/7c7oVEl0NL8lHMZaHiPprf LmeLIgM5ndh9wkvD9j2EH5JR72lACQtg5n9qmbDro2uJbtGqrhqrVQdPrPtv1XoM 0JAIL+1RvdTuPPBclmTLwdXaztlnEjJOA9loWpkyMIlZVcb/6TWamGAzxu4wMv8o aQpaVqNIO9kq79lZMHFGDE4VRHAjrJh3nXKpi+/JOIf7xKAnwrZAquAC+bfqYYUm W9jg35aB+jASlI7+TvQHgal2dFSYebCeWpwPlJr7XeXWJab+UNajeKxRQ2wMuQIN BFvZ0+gBEAC6nJAWbF6YAnPDaHTTBAAYEHlbiPTt8gYUgoxkUJxV2fcj0g2ye0+x gFh7Z3eTw5zq3iojah8EWBj5WOHeI1R1q244qaje467onbgowcxsFOH/TgBs1aew DWNDIMJl/vkSEY5xdmtJIGIUJ/+BH9U7kSX3lB5IFz37WH6hcgQZUjD0fx+Hv5ZX 7Fz8YGXnBnJRwblCJbvkq2BD/1fSI5REddILkQAKd9mzRoXFvKRYwV5Oq78NU4cd 5e20+ALHCPC7fQQ3jFzUo2WMLywWDAi42DOn7E6/tIZT7BwKF08ozNDPpWTj5OOO OAqjesgsXI410kdayv25LopHnnPCcIcjm35AtA8TDSEfPFlbm59tBo7q5VWi15yb X1+vkSZfcUoe9lXIr/Ea+RYgayI8xFkBiOlWn8NaWjWrZEr6OG4EOk97bAgey4M4 KEJJkQsQYsVSQ8yVkt1wETkH6GHQFoyoFJUJkxeWDXoG9LyBYr7n+NSbjOAujy/c XyemCFkJXSeTcn4KAIboBvEV0nQOMjfaEr+hkfXbESfm92MSlL54arrgyY7vcOSI iztc4ZiTmkQPeeG4PsqUaHYB1lj+qapVQlZ9O+OFH280YWylLBZJMWOKM1lMqgz3 Z2avF2FVax+xBeE8pMnWAUbKTHB7BQAhATjxGGlWy6QtJRxpOrTcGwARAQABiQI2 BBgBCAAgFiEEI22Fld5IYYwmKTEi8+g+u2A6+EYFAlvZ0+gCGwwACgkQ8+g+u2A6 +EbNAQ//WL261oYfKskEmBzz88M7Tt6aj8NyQmXyrIY6RoEYK4+rnS2zFwQfIF6p 3e4avUZYF5xTOSuuiJv4IImnjlilHjA+r6LcmqIGKilIeFQwyNLVr+H/FvZSzKYY Psr6v0CCBn/6UICmrLoDgr1IiWmlwVDKVNXDZLGHprB00WBrso0pBVWEmbkKzlP9 lYlC11yXo/wsLLnQNbz3DzcUgtyFExyL37EGr1zw2xfmwmRZRQmpILpuiBE/VGI0 pH4JReeGjcqh0TkK+70whQnM9VX6eZbV4cwtBXg1CixY+cwyQcCreRTneGPQT9jj 5dmD9duQOiDw5QGAoQ4tc6AxQcf62KsZmXQ715IMVrbn3leeoVR5PaFQ/PR3MQn+ eS0f+wIDLBgD1tjUeOvjWs79sB7LAvinndZUA/6+nfxR29753gpssFW5tFEK5Kit OwCnNG4P3SjqfYAN+IIBTUUUPjGPHTKEd85XUBUlCJg7i1iLaeZqamp9oga4gv6d lLQ50J84i4yk02Afhlic5CNw1l9TfCgdFWF/9+WO7qzHmdJsZl/9Gs05J3hbPzqh uji6ujyI7v9vDTDC2tR1l3zHTomFJ6Vs42MdpaBWtnePAIohnhtLKCjG3/Z04idj jjGTV+5EASM2h3WV7vfmxem2HyxEM0lwa5zj8AtaWugqmiO6Rik= =aMFF -----END PGP PUBLIC KEY BLOCK-----
C:\msys2\home\<your_user_name>\.gnupg
directory to C:\Users\<your_user_name>\
.gpg.exe
looks for key when not invoked from msys/MinGW and it doesn't seem possible to alter it without modifying the registry or creating environment variables, which is cumbersome. Besides, this is important data and you are a lot more likely to backup the content of C:\Users\<your_user_name>\
than C:\msys2\home\
, so it's probably not a bad idea to duplicate this valuable content there.$ gpg --list-keys --keyid-format LONG pete@akeo.ie gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub rsa4096/F3E83EBB603AF846 2018-10-31 [SC] 236D8595DE48618C26293122F3E83EBB603AF846 uid [ultimate] Pete Batard <pete@akeo.ie> sub rsa4096/308A9C6106D2FCE4 2018-10-31 [E]
.git/config
so that it contains the following options:[user] signingkey = 236D8595DE48618C26293122F3E83EBB603AF846 [commit] gpgsign = true [gpg] program = "C:/msys2/usr/bin/gpg.exe"
$ git log --show-signature
(Image credits: Yubico.com) |
.p12
file (Note: You may have to use the Windows certificate store export feature to get to that file, and follow the procedure highlighted here, if your CA only delivers signing credentials into the certificate store)pivman.exe
). You may have to go fetch it from its installation directory if it did not create a Start menu entry, as was the case on my machine:.p12
code signing credential. You will be prompted by a password, which of course is the password for the private key of your .p12
(and not the key's PIN).SignTool
or the YubiKey seem to have any trouble with that.SignTool
in the usual fashion, where you reference a local .p12
or .pfx
file./sha1
flag of SignTool is for.SignTool
with /sha1
instead of /f
and when you do so, you will be prompted to plug your YubiKey (if it isn't plugged in) as well as your PIN, which, if you enter successfully, will enable the signature operation.5759b23dc8f45e9120a7317f306e5b6890b612f0
) and an SHA-1 credential (fingerprint 655f6413a8f721e3286ace95025c9e0ea132a984
), that I use to sign and timestamp the dual SHA-1+SHA-256 Rufus binary:SignTool sign /v /sha1 655f6413a8f721e3286ace95025c9e0ea132a984 /fd SHA1 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp rufus.exe SignTool sign /as /v /sha1 5759b23dc8f45e9120a7317f306e5b6890b612f0 /fd SHA256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp rufus.exe
.p12
/.pfx
and remove any trace of your credential(s) from your computer.