| View previous topic :: View next topic |
| Author |
Message |
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
 Posted: Sun Sep 18, 2022 4:17 am Post subject: Missing couple grub modules |
 |
|
| I am trying to enable secure boot but I can't seem to figure out a way to create: vga.mod, vbe.mod and ieee1275_fb.mod. Those are the only grub modules I am missing and if I can somehow obtain them for x86_64-efi, then I will be able to enable secure boot. As for right now, It says: "error: prohibited by secure boot policy" Also, I am missing sbat.csv and was wondering how to create that as well if possible. Any kind of information to help me get started would be greatly appreciated |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 9:35 am Post subject: |
|
|
Hi
can be found only if you use
| Code: |
GRUB_PLATFORMS="...ieee1275..."
|
in make.conf and re-emerge grub
On the other hand
vga.mod and vbe.mod belong to i386-pc platform.
So
| Code: |
GRUB_PLATFORMS="ieee1275 i386-pc efi-64"
|
should suffice?
yet again if I run
| Code: |
grep -E "iee|vga|vbe" /boot/grub/grub.cfg
|
I get
| Code: |
insmod ieee1275_fb
insmod vbe
insmod vga
|
Maybe they are included in
_________________
 |
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 11:11 am Post subject: |
|
|
This is what I run and I still get
| Code: |
/usr/lib/grub/x86_64/ieee1275_fb.mod: No file or directory
|
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot --modules="efi_gop efi_uga ieee1275_fb vbe vga video_bochs video_cirrus lvm ext2 all_video gfxterm gettext gzio part_gpt fat tpm" --bootloader-id=GRUB
|
I don't think all_video has vga and vbe included in it?
This is my make config http://dpaste.com/DLR2XSCL6
I did exactly what you said and added ieee1275 i386-pc efi-64
The grub module still doesn't exist for some reason.
Last edited by kucklehead on Sun Sep 18, 2022 11:17 am; edited 1 time in total |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 11:16 am Post subject: |
|
|
Well you might need to copy them over from
| Code: |
/boot/grub/{i386-pc,ieee1275} to /boot/grub/x86_64-efi/
|
What does "ls /boot/grub" show?
just the ones you need.Not all.
Hope it will work.
If done you can remove the extra platforms from grub.
You just needed the modules no?
_________________
Last edited by alamahant on Sun Sep 18, 2022 11:21 am; edited 1 time in total |
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 11:20 am Post subject: |
|
|
Yeah, I just need the modules. Also i386-pc and ieee1275 does not exist. I have to create it right?
if so how? |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 11:22 am Post subject: |
|
|
It must be inside /boot/grub
Ok i stand corrected.
In make.conf for i386-pc just use "pc"
| Code: |
GRUB_PLATFORMS="efi-64 pc ieee1275"
|
You need to re-EMERGE grub.
_________________
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 11:26 am Post subject: |
|
|
It's not for some reason. Here's the paste: http://dpaste.com/AKYPQHBG4
What I mean by creating it I thought changing the --target would work for some reason, dont know why. |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 11:31 am Post subject: |
|
|
You are right.I just tried it.
The respective folders are not created in /boot/grub.
I think they are created when running "grub-install --target".
But i advice you not to try it.
_________________
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 11:36 am Post subject: |
|
|
I changed it to pc, here's my make config http://dpaste.com/6TUCG2CSS
Still no folder https://dpaste.com/554NFNP9L
I forgot to mention grub-installl it's late here. And I am re-emerging grub via sudo emerge --ask --quiet --update --deep --changed-use @world |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 11:39 am Post subject: |
|
|
Ok your make.conf seems ok.
I am not certain how safe is to run
| Code: |
grub-install --target=pc
etc
|
when you are in an efi-64 system.
I advice you not to do it.
_________________
|
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 11:48 am Post subject: |
|
|
Ok I found it
DO NOT RUN
grub-install with other --targets.
Just re emerge grub and find the modules in
| Code: |
/usr/lib/grub/pc
or
/usr/lib/grub/1386-pc
and
/usr/lib/grub/ieee1275
|
_________________
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 11:48 am Post subject: |
|
|
Yes you're right, I don't need to run that. I ran
| Code: |
ls /usr/lib/grub/i386-pc
|
and it shows vga.mod and vbe.mod
running
It shows i386-ieee1275
But I dont see the ieee1275_fb.mod anywhere |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 12:00 pm Post subject: |
|
|
| I was thinking that. Gimme a second and I'll try it and see if it works |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 12:01 pm Post subject: |
|
|
Plz see above updated my post.
_________________
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 1:15 pm Post subject: |
|
|
| Yes I see it. However, there's an issue. I installed the vga.modules, vga.mod, vbe.mod, vbe.modules in /usr/lib/grub/x86_64 and When I rebooted I got "Error: invalid arch-dependant ELF magic" Something like that. So basically all of this copying would be useless unless we can figure out "Error: invalid arch-dependant ELF magic" |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Sep 18, 2022 1:24 pm Post subject: |
|
|
It means it can not use modules that belong to different architecture.
I dont think it is possible to do what you are trying in this way.
_________________
|
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1802
Location: South America
|
| Posted: Sun Sep 18, 2022 2:06 pm Post subject: Re: Missing couple grub modules |
|
|
| kucklehead wrote: | | I am trying to enable secure boot but I can't seem to figure out a way to create: vga.mod, vbe.mod and ieee1275_fb.mod. Those are the only grub modules I am missing [...] |
What makes you think that you need those modules? Secure Boot implies UEFI, but modules vga and vbe are for BIOS, and ieee1275_fb is for Open Firmware on PowerPC.
GRUB's available video modules for UEFI are named efi_gop and efi_uga.
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 3:43 pm Post subject: |
|
|
@GDH-gentoo
Following this wiki section "Shim with key and GRUB" at https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader
"Shows error: prohibited by secure boot policy" When I enable secure boot on. I have my keys enrolled and already signed to my bootloader.
The grub modules I want are well needed for another arch which doesn't make any sense for me that is, since everything is in x86_64-efi. Doing some digging around I read through my /boot/grub/grub.cfg looking at the insmod lines and added the modules I needed with grub-install --modules="....tpm..." and ieee1275_fb is hardcoded in that file. Instead of installing the modules such as "grub-install ..... ... ... --modules= ${GRUB_MODULES}" because that complains about something being filled cant remember ( just remembered it complained about running out of room after installing every single grub module ). I have been trying a different way which is look in your grub.cfg, find what grub modules you need and install them. After adding all the modules besides such as:
| Code: |
grub-install --target=x86_64-efi --efi-directory=/boot --modules="efi_gop efi_uga video_bochs video_cirrus lvm ext2 all_video gfxterm gettext gzio part_gpt fat tpm" --bootloader-id=GRUB
|
vga vbe and ieee1275 it started to complain about not having those modules installed
Last edited by kucklehead on Sun Sep 18, 2022 4:04 pm; edited 1 time in total |
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Sun Sep 18, 2022 3:54 pm Post subject: |
|
|
Oh and yes I followed these steps to make my keys: "
| Code: |
sudo mkdir /etc/microsoft_efikeys/
efi-readvar -v PK -o old_PK.esl
efi-readvar -v KEK -o old_KEK.esl
efi-readvar -v db -o old_db.esl
efi-readvar -v dbx -o old_dbx.esl
cp /etc/microsoft_efikeys/* /etc/efikeys/
uuidgen --random > GUID.txt
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
|
Manually Signed my bootloader and kernel:
| Code: |
sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux
sbsign --key db.key --cert db.crt --output esp/EFI/BOOT/BOOTx64.EFI esp/EFI/BOOT/BOOTx64.EFI
|
Enrolled my keys:
| Code: |
mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}
sbkeysync --pk --dry-run --verbose
sbkeysync --verbose
sbkeysync --verbose --pk
|
|
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1802
Location: South America
|
| Posted: Sun Sep 18, 2022 6:40 pm Post subject: |
|
|
You are not following that section, because you are not using the PreLoader or the Shim with a machine owner key (MOK). According to what you are describing in your last post, you are instead replacing (or trying to replace) the UEFI firmware's keys (Platform, Key Exchange and signature verification keys). That's a different way of booting [GNU/]Linux with Secure Boot on.
| kucklehead wrote: | | "Shows error: prohibited by secure boot policy" When I enable secure boot on. |
Are you getting to GRUB's menu?
| kucklehead wrote: | | The grub modules I want are well needed for another arch which doesn't make any sense for me that is, since everything is in x86_64-efi. |
Exactly, it doesn't make any sense. Again, why do you think you need them?
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
kucklehead
Tux's lil' helper
Joined: 13 Oct 2020
Posts: 108
|
| Posted: Mon Sep 19, 2022 12:41 am Post subject: |
|
|
| Yes, I am getting to the grub menu but it goes straight into grub rescue mode, after it displays: "error: prohibited by secure boot policy" And I am using shim + grub, because I am replacing the PK,KEK, and db keys and certs. I don't need it though and I haven't uninstalled it because I have been configuring wireguard. After this reply, It'll be uninstalled. I need those modules for grub to work because why else would it be displaying missing modules? And I was not talking about using MOK or preloader. I quoted the section in "". I believe you're reffering to the link I sent. If you follow the link and search for the section I quoted, it will show $CD_MODULES and what not |
|
| Back to top |
|
|
GDH-gentoo
Veteran
Joined: 20 Jul 2019
Posts: 1802
Location: South America
|
| Posted: Mon Sep 19, 2022 4:11 pm Post subject: |
|
|
| kucklehead wrote: | | Yes, I am getting to the grub menu but it goes straight into grub rescue mode, after it displays: "error: prohibited by secure boot policy" |
OK, that comes from GRUB's shim lock file verifier, which is registered automatically when GRUB detects that Secure Boot is on. Probably because it is trying to load a module it needs. But surely not a module that does not correspond to UEFI on 64-bit AMD / Intel architecture. From the article you linked:
| Quote: | | GRUB can only be booted in Secure Boot mode if all necessary modules are included in its EFI binary. |
(Or alternatively, I believe, a verifier that can verify GRUB modules, such as the PGP verifier, has been registered)
| kucklehead wrote: | | I am using shim + grub, because I am replacing the PK,KEK, and db keys and certs. |
Those two things are mutually exclusive (well, not really, but if you are able to replace the firmware keys, there's no reason to use the Shim as it only adds overhead). If you don't remember installing the Shim, which means that files shimx64.efi, mmx64.efi and fbx64.efi are present somewhere in the EFI System Partition, and creating a MOK, then you are not using the Shim.
| kucklehead wrote: | | And I was not talking about using MOK or preloader. I quoted the section in "". I believe you're reffering to the link I sent. If you follow the link and search for the section I quoted, it will show $CD_MODULES and what not |
You linked to section 3.2 of the Arch Wiki article:
| Quote: | Unified Extensible Firmware Interface/Secure Boot
[...]
3 Implementing Secure Boot
[...]
3.2 Using a signed boot loader
Using a signed boot loader means using a boot loader signed with Microsoft's key. There are two known signed boot loaders: PreLoader and shim. Their purpose is to chainload other EFI binaries (usually boot loaders). |
I believe pietinger here has successfully set up GRUB with Secure Boot enabled and replaced the UEFI firmware keys, maybe he'll see this.
_________________
| NeddySeagoon wrote: | | I'm not a witch, I'm a retired electronics engineer |
| Ionen wrote: | | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5364
Location: Bavaria
|
| Posted: Mon Sep 19, 2022 5:32 pm Post subject: |
|
|
| GDH-gentoo wrote: | | I believe pietinger here has successfully set up GRUB with Secure Boot enabled and replaced the UEFI firmware keys, maybe he'll see this. |
Yes and no. Yes, I have active secureboot. No, not for grub.
I have installed Gentoo with our AMD64 handbook .. so, YES WITH grub.
THEN I made a (monolithic) stub kernel which can be booted directly from UEFI. Then I went the same way as PO with changing all keys (so no SHIM or MOK is necessary) and signing my (stub-)KERNEL. Now my UEFI boots in securemode directly my kernel.
Please keep in mind: grub is able to boot a stub kernel like every normal kernel also ! So: For backup reasons I have still my old UEFI boot entry for grub in my UEFI ... and IF I must boot an older kernel (because something bad happened to my new (signed) kernel), THEN I go into my BIOS and change boot order back to grub AND for this I disable secureboot temporary (because I have to go into BIOS anyway).
A english description for this is here: https://forums.gentoo.org/viewtopic-p-8492354.html#8492354 |
|
| Back to top |
|
|
|
Kernel & Hardware
