| View previous topic :: View next topic |
| Author |
Message |
g0rg0n
Tux's lil' helper
Joined: 18 Feb 2006
Posts: 96
|
 Posted: Thu Aug 15, 2024 12:37 pm Post subject: kernel update removing Windows EFI /w secureboot + grub |
 |
|
Users dual booting with Windows 11, how do you manage kernel upgrade with secureboot?
I updated kernel today and Windows was removed from UEFI boot list.
I was able to boot into Windows since Grub is able to chainload it but it meant unlocking BitLocker twice - once when I boot into Windows, another when Windows automatically updates UEFI boot list.
I suspect grub-install is the root cause since when I initially tried to setup secureboot, grub-install kept removing shim from UEFI boot list. (originally, https://wiki.gentoo.org/wiki/Shim was instructing to use grub-install to generate grubx64.efi and sign it manually with sbsign)
Has anyone encountered similar issues?
| Code: | theoffice ~ # emerge -vp installkernel gentoo-kernel grub
These are the packages that would be merged, in order:
Calculating dependencies... done!
Dependency resolution took 1.98 s (backtrack: 0/20).
[ebuild R ] sys-boot/grub-2.12-r5:2/2.12-r5::gentoo USE="fonts mount nls secureboot themes truetype verify-sig -device-mapper -doc -efiemu -libzfs -sdl (-test)" GRUB_PLATFORMS="efi-64 -coreboot -efi-32 -emu -ieee1275 (-loongson) -multiboot -pc -qemu (-qemu-mips) -uboot -xen -xen-32 -xen-pvh" 0 KiB
[ebuild R ] sys-kernel/installkernel-48-r1::gentoo USE="dracut grub -efistub -refind -systemd -systemd-boot -ugrd -uki -ukify" 0 KiB
[ebuild R ] sys-kernel/gentoo-kernel-6.10.4:6.10.4::gentoo USE="initramfs modules-sign secureboot strip -debug -generic-uki -hardened -modules-compress -savedconfig -test" 0 KiB
Total: 3 packages (3 reinstalls), Size of downloads: 0 KiB
theoffice ~ # |
_________________
nicewarm.coffee |
|
| Back to top |
|
 |
AndrewAmmerlaan
Developer
Joined: 25 Jun 2014
Posts: 366
Location: Nijmegen
|
| Posted: Thu Aug 15, 2024 12:48 pm Post subject: |
|
|
This sounds like a weird firmware issue (it's not at all uncommon for an UEFI to be a bit "buggy"), grub-install should not change any non-grub entries.
When (re-)installing grub over an already installed grub you can use the '--no-vram' argument to instruct grub-install to not touch the EFI variables. This is usually fine since the path of the (re-)installed grub does not change and therefore the boot entry does not need updating.
Note also that you do not have to re-install grub when updating the kernel, even if secureboot is enabled.
_________________
OS: Gentoo 6.8.10-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 436
|
| Posted: Thu Aug 15, 2024 1:19 pm Post subject: |
|
|
| AndrewAmmerlaan wrote: | | When (re-)installing grub over an already installed grub you can use the '--no-vram' argument to instruct grub-install to not touch the EFI variables. |
There is a typo, the option is |
|
| Back to top |
|
|
g0rg0n
Tux's lil' helper
Joined: 18 Feb 2006
Posts: 96
|
| Posted: Sun Aug 18, 2024 3:08 pm Post subject: |
|
|
| AndrewAmmerlaan wrote: | This sounds like a weird firmware issue (it's not at all uncommon for an UEFI to be a bit "buggy"), grub-install should not change any non-grub entries.
When (re-)installing grub over an already installed grub you can use the '--no-vram' argument to instruct grub-install to not touch the EFI variables. This is usually fine since the path of the (re-)installed grub does not change and therefore the boot entry does not need updating.
Note also that you do not have to re-install grub when updating the kernel, even if secureboot is enabled. |
I've updated to kernel to 6.10.5 today and still the same behavior (note, all I'm doing is updating kernel, no grub-install / grub-mkconfig):
- after the kernel update, efibootmgr shows shim, grub, Windows and UEFI
- reboot causes a POST failure, reporting that the system is missing a disk
- after a power cycle, system boots okay but with Windows EFI deleted
It does sound like a firmware issue since kernel update with secureboot seems to trigger a POST failure.. I think I'm gonna have to disable secureboot and Windows BitLocker;
_________________
nicewarm.coffee |
|
| Back to top |
|
|
AndrewAmmerlaan
Developer
Joined: 25 Jun 2014
Posts: 366
Location: Nijmegen
|
| Posted: Sun Aug 18, 2024 3:37 pm Post subject: |
|
|
| Quote: | | reboot causes a POST failure, reporting that the system is missing a disk |
This is a bit strange since at no point in a kernel update are the efi variables touched (unless you're efistub booting but that is not the case here)
Is it failing to post when loading shim or when loading grub? I also wonder if it would make any difference if you mount the efi variables read-only, or not at all, that way it should be impossible for the system to modify the UEFI in any way.
As you've already noted, we recently introduced a slightly simpler method of using secureboot with grub (via USE=secureboot, and simple cp), are you using this new method? Or are you using the "old" method of grub-install+sbsign? The new method worked fine on my system when I tested it, but it relies on grub-mkstandalone and it might be that there is some issue with this standalone image where it is unable to locate/read your disk(s).
_________________
OS: Gentoo 6.8.10-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
| Back to top |
|
|
g0rg0n
Tux's lil' helper
Joined: 18 Feb 2006
Posts: 96
|
| Posted: Mon Aug 19, 2024 2:59 am Post subject: |
|
|
| AndrewAmmerlaan wrote: | | Quote: | | reboot causes a POST failure, reporting that the system is missing a disk |
This is a bit strange since at no point in a kernel update are the efi variables touched (unless you're efistub booting but that is not the case here)
Is it failing to post when loading shim or when loading grub? I also wonder if it would make any difference if you mount the efi variables read-only, or not at all, that way it should be impossible for the system to modify the UEFI in any way.
As you've already noted, we recently introduced a slightly simpler method of using secureboot with grub (via USE=secureboot, and simple cp), are you using this new method? Or are you using the "old" method of grub-install+sbsign? The new method worked fine on my system when I tested it, but it relies on grub-mkstandalone and it might be that there is some issue with this standalone image where it is unable to locate/read your disk(s). |
I've initially setup with the old method but now using the simpler method - USE="secureboot modules-sign", /usr/lib/grub/grub-x86_64.efi.signed is copied to /boot/efi/EFI/gentoo/, and GRUB_CFG=/boot/efi/EFI/gentoo/grub.cfg
Strangely, I did Windows 11 update after disabling the BitLocker and it caused another POST, removing Windows EFI. 
POST failure occurs as soon as the laptop restarts, I don't even see the BIOS loading screen.
_________________
nicewarm.coffee |
|
| Back to top |
|
|
AndrewAmmerlaan
Developer
Joined: 25 Jun 2014
Posts: 366
Location: Nijmegen
|
| Posted: Mon Aug 19, 2024 6:53 am Post subject: |
|
|
It could be that there is some corruption on the EFI System Partition, this could cause the UEFI to fail to find the disk and maybe to delete entries associated with that disk. Could you try running fsck or chkdsk (windows equivalent) on that partition?
_________________
OS: Gentoo 6.8.10-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
| Back to top |
|
|
g0rg0n
Tux's lil' helper
Joined: 18 Feb 2006
Posts: 96
|
| Posted: Tue Aug 20, 2024 11:15 am Post subject: |
|
|
| AndrewAmmerlaan wrote: | | It could be that there is some corruption on the EFI System Partition, this could cause the UEFI to fail to find the disk and maybe to delete entries associated with that disk. Could you try running fsck or chkdsk (windows equivalent) on that partition? |
Just ran fsck and there was a dirty bit set from the unclean mount.
| Code: |
theoffice ~ # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
mmcblk0 179:0 0 477.5G 0 disk
└─mmcblk0p1 179:1 0 477.5G 0 part
zram0 252:0 0 0B 0 disk
zram1 252:1 0 0B 0 disk
zram2 252:2 0 14G 0 disk /var/tmp
nvme0n1 259:0 0 476.9G 0 disk
├─nvme0n1p1 259:1 0 100M 0 part /boot/efi
├─nvme0n1p2 259:2 0 16M 0 part
├─nvme0n1p3 259:3 0 254.4G 0 part
├─nvme0n1p4 259:4 0 1.4G 0 part
├─nvme0n1p5 259:5 0 512M 0 part /boot
├─nvme0n1p6 259:6 0 4G 0 part [SWAP]
└─nvme0n1p7 259:7 0 216.4G 0 part /
theoffice ~ # fsck.vfat -a /dev/nvme0n1p1
fsck.fat 4.2 (2021-01-31)
There are differences between boot sector and its backup.
This is mostly harmless. Differences: (offset:original/backup)
65:01/00
Not automatically fixing this.
Dirty bit is set. Fs was not properly unmounted and some data may be corrupt.
Automatically removing dirty bit.
*** Filesystem was changed ***
Writing changes.
/dev/nvme0n1p1: 215 files, 57593/98304 clusters
theoffice ~ # fsck.vfat -a /dev/nvme0n1p1
fsck.fat 4.2 (2021-01-31)
/dev/nvme0n1p1: 215 files, 57593/98304 clusters
theoffice ~ # |
i'll re-enable secureboot when 6.10.7 lands since i just merged 6.10.6
_________________
nicewarm.coffee |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Kernel & Hardware
