View previous topic :: View next topic |
Author |
Message |
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 8
|
Posted: Sat Dec 14, 2024 5:11 pm Post subject: GRUB cannot boot with secure boot |
|
|
#######
PROBLEM
#######
I'm trying to use secure boot with my setup, but I keep getting errors in GRUB.
#####
SETUP
#####
My setup is the following:
Drive Partition_name Mountpoint
/dev/sda
|-/dev/sda1 EFI System /efi
|-/dev/sda2 Linux extended boot /boot
`-/dev/sda3 Linx filesystem
sda1 is the ESP where the '.efi' file is /efi/EFI/BOOT/BOOTX64.EFI
sda2 is the XBOOT that contains:
|-grub/
|-amd-uc.img
|-intel-uc.img
|-System.map-x.y.z-gentoo
|-config-x.y.z-gentoo
|-initramfs-x.y.z-gentoo.img
`-vmlinuz-x.y.z-gentoo
sda3 is the encrypted root.
sys-kernel/installkernel is compiled with:
USE="dracut grub"
sys-boot/grub is compiled with:
USE="device-mapper fonts nls secureboot themes"
GRUB_PLATFORMS="efi-64"
GRUB is installed with the following command:
Code: | grub-install --removable --target=x86_64-efi --efi-directory=/efi |
I compile my own kernel from sys-kernel/gentoo-sources.
The current setup works -- I use the installkernel script to configure Dracut and GRUB when I run 'make install'.
###################################
TRYING TO USE SECURE BOOT ATTEMPT 1
###################################
I followed the instructions on the "Secure Boot" wiki page up to section "Signing Boot Files":
- set SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT in make.conf
- make my own keys
- sign my keys
- install my keys to the UEFI
The "Signing Boot Files" section does not explain well what files need to be signed, it only shows the kernel being
signed and only talks about UKI and initramfs. I signed what I could and signed:
- /efi/EFI/BOOT/BOOTX64.EFI
- /boot/vmlinuz-x.y.z-gentoo
with
Code: | sbsign --cert my_db.crt --key my_db.key <efi file> --output <efi file> |
I also checked they were signed with the right key with 'sbverify'.
When I try to boot, the GRUB menu doesn't show up and I'm given:
Code: | error: prohibited by secure boot policy.
Entering rescue mode...
grub rescue> |
###################################
TRYING TO USE SECURE BOOT ATTEMPT 2
###################################
When I install sys-boot/grub with USE="secureboot", there is a message stating that it makes the signed standalone
GRUB executables in /usr/lib/grub/grub-<target>.efi(.signed) and that these executables need the grub.cfg file
in the same directory.
So I ran the following commands:
Code: | export GRUB_CFG=/efi/EFI/BOOT/grub.cfg
cd /usr/src/linux
make install
cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/BOOT/BOOTX64.EFI
sbsign --cert my_db.crt --key my_db.key /boot/vmlinuz-x.y.z-gentoo --output /boot/vmlinuz-x.y.z-gentoo |
I verified the efi and kernel were both signed and rebooted. The GRUB menu showed up like normal and gave me the
usual options:
Code: | Gentoo GNU/Linux
Advanced options for Gentoo GNU/Linux
UEFI Firmware Settings |
But when I tried to boot Gentoo, I get the following error:
Code: | Loading Linux x.y.z-gentoo ...
error: shim_lock protocol not found.
Loading initial ramdisk ...
error: you need to load the kernel first.
Press any key to continue... |
I did some more research, but everyone seems to have their own solution that only applies to them:
- some say use UKI
- some say build the initramfs into the kernel
- something something GRUB modules
- grub-install options
I tried various solutions, but nothing seems to work. |
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 439
|
Posted: Sat Dec 14, 2024 5:41 pm Post subject: |
|
|
My solution is to disable it entirely. I assume you have decided that you are at high risk of unauthorized code execution, a bootkit, or some sort of malware that specifically affects your Linux installation. My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it?
Do you have reason to believe that your system integrity is at risk and need to verify it every time you boot?
If you do not need it after all, then simply disable it. If you feel you %100 require it or benefit from it for your use case, then proceed.
Obviously, if you must dual-boot with Windows for some reason, it may be difficult to avoid. Otherwise it is optional. |
|
Back to top |
|
|
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 8
|
Posted: Sat Dec 14, 2024 6:24 pm Post subject: |
|
|
Quote: | My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it? |
Yes. |
|
Back to top |
|
|
Child_of_Sun_24 l33t
Joined: 28 Jul 2004 Posts: 603
|
Posted: Sat Dec 14, 2024 6:31 pm Post subject: |
|
|
I use secureboot with sys-boot/shim and it works with dual-boot windows.
https://wiki.gentoo.org/wiki/Shim
Here is everything discribed what you need for it. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5214 Location: Bavaria
|
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 439
|
Posted: Sat Dec 14, 2024 7:33 pm Post subject: |
|
|
FlyingBullets wrote: | Quote: | My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it? |
Yes. |
Perfectly understandable. I wanted to put it out there because it is a valid question that users should be asking themselves before spending the time and effort in setting it up and troubleshooting -- as might be the case for other users who read this post in the future. |
|
Back to top |
|
|
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 8
|
Posted: Sat Dec 14, 2024 8:01 pm Post subject: |
|
|
Quote: | I use secureboot with sys-boot/shim... |
I don't want to use shim; I want to use my own keys.
Quote: | If you need an initramfs (because your root partition is encrypted) then USE an embedded initramfs. |
I'm going to try several things:
- Dracut has some uefi parameters to embed the initramfs Update: I don't think this does what I think it does.
- Using an EFI Stub to be loaded by GRUB
- UKI
Quote: | If it is grub - and UEFI has started your grub, ANYTHING else is THEN the job of grub. |
That's how I want things to be handled; I want to keep using GRUB so that I can switch between kernels in case I mess something up; I don't want to boot directly into a kernel. I get that all executables should be signed, but that didn't work.
What I would like to know is why GRUB is giving me this "shim_lock" error.
Update:
The "EFI Stub" wiki page is not helpful in learning how to actually embed an initramfs, it only talks about the subject and something about CPIO files. It says that Dracut can make them, but I can't find anything in the Dracut man pages about ".cpio" files. Also, I'm being told to set CONFIG_INITRAMFS_SOURCE=/usr/src/initramfs ...but that doesn't exist? |
|
Back to top |
|
|
|