| View previous topic :: View next topic |
| Author |
Message |
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 99
|
 Posted: Wed Oct 30, 2024 2:20 am Post subject: [SOLVED-WORKAROUND] sys-boot/grub with secureboot hangs |
 |
|
I have two problems whilte installing sys-boot/grub with secureboot flag. I placed the entries in the make.conf file
| Code: | SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt" |
During installation, sys-boot/grub finds mypath/file.key and asks me to enter the password.
Problem 1: Password entry is not hidden. When digitally signing the UKI kernel with dracut, the prompt is hidden. I would like it to be like this, otherwise I will leave my password in the console logs with each grub installation.
Problem 2: After entering the password, nothing happens. Signing UKi using dracut takes seoncds. In this case, after 20 minutes still nothing minutes. Htop shows the minimum CPU consumption. Something is probably wrong here, or maybe grub takes so long for some reason? I'll wait even longer, but I don't think the installation will go any further. (Edit: Even after 3 hours nothing moved).
My password is not wrong. I double check my key with
| Code: | | oepnssl rsa -in mypath/file.key -check |
and after entering the password the result is RSA key OK.
Last edited by nxe9 on Fri Nov 01, 2024 2:16 am; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22601
|
| Posted: Wed Oct 30, 2024 1:52 pm Post subject: |
|
|
| That suggests to me that the password you typed was never passed to the signing tool, and that it is still waiting for your password. To start, please show us the versions of everything involved: grub, the signing tool, and your sync date (which is relevant to how Portage invokes the signing tool). Also, while the system is paused at that prompt, run ps -efwH, extract the lines for the ebuild and the signing tool, and show those. Check that no passwords are shown before posting. I don't expect them to be there. |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 99
|
| Posted: Wed Oct 30, 2024 4:13 pm Post subject: |
|
|
@Hu: Thanks.
sys-kernel/gentoo-kernel-6.6.58-r1
sys-boot/grub-2.12-r5
app-crypt/sbsigntools-0.9.5
dev-libs/openssl-3.3.2
sys-apps/portage-3.0.65-r1
| Quote: | | Timestamp of repository gentoo: Mon, 28 Oct 2024... |
ps -efwH output
| Code: | root 2433 2429 0 16:55 tty1 00:00:00 bash
root 2438 2433 35 16:55 tty1 00:01:18 /usr/bin/python3.12 /usr/lib/python-exec/python3.12/emerge -av grub
root 22687 2438 0 16:57 tty1 00:00:00 /usr/bin/python3.12 /usr/lib/portage/python3.12/pid-ns-init 22688
root 22688 22687 0 16:57 pts/0 00:00:00 /usr/bin/python3.12 /usr/lib/portage/python3.12/pid-ns-init 0,1,2 /usr/bin/sandbox [sys-boot/grub-2.12-r5] sandbox /usr/lib/portage/python3.12/ebuild.sh install
root 22691 22688 0 16:57 pts/0 00:00:00 [sys-boot/grub-2.12-r5] sandbox /usr/lib/portage/python3.12/ebuild.sh install
root 22692 22691 0 16:57 pts/0 00:00:00 bash /usr/lib/portage/python3.12/ebuild.sh install
root 22708 22692 0 16:57 pts/0 00:00:00 bash /usr/lib/portage/python3.12/ebuild.sh install
root 24017 22708 0 16:58 pts/0 00:00:00 openssl x509 -inform PEM -in path/file.crt -noout -nocert -keyform PEM -key path/file.key |
Last edited by nxe9 on Fri Nov 01, 2024 2:21 am; edited 1 time in total |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 99
|
| Posted: Wed Oct 30, 2024 7:49 pm Post subject: |
|
|
EDIT: I had to edit my post due to my new observations.
The end of the output when installing grub with secureboot and ECLASS_DEBUG_OUTPUT=on.
| Code: |
...
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: kernel_img=0x7fa6c4991010, kernel_size=0x1c000.
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: the core size is 0xd495d0.
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: reading /var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/share/grub/sbat.csv.
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: writing 0xd4d000 bytes. [ ok ]
debug: secureboot_auto_sign: entering function, parameters:
debug: secureboot_sign_efi_file: entering function, parameters: /var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/lib/grub/grub-x86_64.efi /var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/lib/grub/grub-x86_64.efi.signed
debug: _secureboot_die_if_unset: entering function, parameters:
Enter pass phrase for mypath/myfile.key:
|
The line where the installation stops is exactly here https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/secureboot.eclass#n94
| Code: | openssl x509 "${openssl_args[@]}" ||
die "Secure Boot signing certificate or key not found or not PEM format." |
That means and also what we can see in the process list above.
| Code: | | openssl x509 -inform PEM -in mypath/myfile.crt -noout -nocert -keyform PEM -key mypath/myfile.key |
If anyone would like to try and reproduce it. The steps:
1. Create key and crt and enter your symmetric encryption key
| Code: | | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=name" -keyout file.key -out file.crt -days 9999 -sha256 |
2. emerge --ask app-crypt/sbsigntools
3. make.conf
| Code: | SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt" |
4. install grub with secureboot flag: USE="secureboot" emerge -a grub
It looks as if the console input could not be passed to openssl when calling it from eclass. Why? Can someone try to reproduce this scenario using the above steps? Is this some kind of portage issue? |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 99
|
| Posted: Thu Oct 31, 2024 5:35 pm Post subject: |
|
|
The same problem with another package has already been reported.
https://bugs.gentoo.org/935733
The problem is caused by passing input through the sandbox, as I thought. A more detailed technical description https://bugs.gentoo.org/935733#c7
The workaround is to disable the pid-sandbox portage feature. But this is probably not a pretty solution. Can I disable this feature for just one package? I guess portage doesn't offer such options?
Edit: In my opinion, this is a better workaround
1. Emerge grub without secureboot.
2. Sign manually
Code snippet for amd64
| Code: | mkdir workingdir
cd workingdir
echo 'configfile ${cmdpath}/grub.cfg' > workingdir/grub.cfg
/usr/bin/grub-mkstandalone --verbose --directory="/usr/lib/grub/x86_64-efi" --locale-directory="/usr/share/locale" --format="x86_64-efi" --modules="part_gpt part_msdos" --sbat="/usr/share/grub/sbat.csv" --output="workingdir/grub-x86_64.efi" "boot/grub/grub.cfg=workingdir/grub.cfg"
sbsign --key=file.key --cert=file.crt grub-x86_64.efi --output grub-x86_64.efi.signed |
reference:
https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-boot/grub/grub-2.12-r5.ebuild
https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/secureboot.eclass |
|
| Back to top |
|
|
Nowa
Developer
Joined: 25 Jun 2014
Posts: 415
Location: Nijmegen
|
| Posted: Mon Nov 04, 2024 12:44 pm Post subject: |
|
|
| nxe9 wrote: | | Can I disable this feature for just one package? I guess portage doesn't offer such options? |
That should be possible with /etc/portage/env I think.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
| Back to top |
|
|
|
Portage & Programming
