View previous topic :: View next topic |
Author |
Message |
ahferroin7 n00b
Joined: 26 Nov 2014 Posts: 10
|
Posted: Tue Jan 05, 2016 3:16 pm Post subject: Issues with GRUB 2 and UEFI Secure Boot |
|
|
This isn't exactly about installing Gentoo, but this seems to be the place to ask about boot issues, and this will end up being about installing Gentoo when I am eventually forced to get a system that won't let me turn off Secure Boot.
I've been trying to get Secure Boot set up on my system recently, as Windows 10 hardware certification no longer requires a switch to turn it off, and I already know of x86 systems in the wild that somehow passed Windows 8 certification despite not having such a switch. Instead of taking the usual approach with SHim or PreLoader, I've actually generated and installed my own keys for PK, KEK, and db. I still have the ceertificates shipped with the system installed, because I need to be able to boot Windows also. I'm using GRUB 2 built from the ~amd64 ebuild, signed using sbsign, to boot, and it works just fine booting Linux this way (interestingly despite not having signed the kernel image).
The issue I've come across though, is that trying to chain load any EFI executable from GRUB, regardless of whether or not it's signed, fails if I have Secure Boot enabled. I've tested this with the Windows 8.1 boot loader and the system diagnostics application from the manufacturer, (both of which boot just fine when invoked from the EFI boot manager itself), as well as a standard EFI shell from TianoCore, and the EFI version of Memtest86 (both of which I've signed with my key using sbsign with exactly the same syntax as I used to sign the GRUB binary). This has been a serious annoyance for me, as the EFI boot manager in the firmware on my system is horribly broken (it completely ignores the timeout variable, and only gets displayed if you manually break in during the boot sequence).
I'm hoping somebody here might have some idea what's going on.
For reference, I'm using a ThinkPad L540 with up to date firmware. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue Jan 05, 2016 4:15 pm Post subject: Re: Issues with GRUB 2 and UEFI Secure Boot |
|
|
ahferroin7 ...
I'm really not that familiar with secure boot, however, prehaps this link will provide a solution (with the fourth bullet point in "Secure Boot Caveats" suggesting your issue is resolvable ... though perhaps not one that will allow you to use grub2).
HTH & best ... khay |
|
Back to top |
|
|
DONAHUE Watchman
Joined: 09 Dec 2006 Posts: 7651 Location: Goose Creek SC
|
Posted: Tue Jan 05, 2016 4:31 pm Post subject: |
|
|
visit http://www.rodsbooks.com/ May be the best free info available on uefi and secure boot.
A member here as srs5694 . _________________ Defund the FCC. |
|
Back to top |
|
|
ahferroin7 n00b
Joined: 26 Nov 2014 Posts: 10
|
Posted: Tue Jan 05, 2016 8:43 pm Post subject: |
|
|
Thanks for the replies. I'd seen the page before, and was actually trying to work around most of the problems with shim and preloader, and even the whole issue with MOK's by just avoiding them entirely. I probably should have been a bit more specific, as I'm not using MOK's at all, I've actually got my own key installed as a Platform Key, and have my own keys added to the Key Exchange Key store and the primary signing key store (which is relatively tamper proof without hardware access due to the design of Secure Boot). I've since tested that both memtest86 and the EFI shell start just fine when loaded directly by the firmware, and when loaded from the EFI shell, so it really looks like this is an issue in how GRUB is chainloading EFI binaries. I'm probably going to end up filing a bug, but I'm going to have to do some more testing first. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|