Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED]Grub and UEFI Secure Boot
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
nvaert1986
Tux's lil' helper
Tux's lil' helper


Joined: 05 May 2019
Posts: 124
PostPosted: Wed Apr 05, 2023 4:51 pm    Post subject: [SOLVED]Grub and UEFI Secure Boot Reply with quote
Hello everyone,

I'm trying to get grub fully working with SecureBoot using sbctl, but I'm running into issues and was wondering anybody else has experience with this and knows how to resolve the issue.

After running sbctl sign filename on my grub and kernel I noticed that I only got a grub rescue prompt. After reading online, I found out that it doesn't work with a modular grub, and that I needed to make a standalone EFI file and sign it using grub-mkstandalone. After running:
Code:
 grub-mkstandalone --fonts=all -O x86_64-efi -o grubx64.efi "/boot/grub/grub.cfg" -v
, signed it and rebooted my laptop. I finally got a grub with a menu, but the kernel still wasn't loading. I received the error message:
Code:
error: verification requested but nobody cares:


After some more reading I found out that I needed to disable shim_lock, so I ran:
Code:
grub-mkstandalone --disable-shim-lock --fonts=all -O x86_64-efi -o grubx64.efi "/boot/grub/grub.cfg" -v
, signed it and and rebooted again, but now I received the error message:
Code:
error: verification requested but nobody cares:
.

After googling some more I found somebody found a solution, by running
Code:
sed -i 's/SecureBoot/SecureB00t/' /boot/EFI/gentoo/grubx64.efi
. After rebooting my system finally boots with Secure Boot enabled, but my kernel still displays the message: Secure Boot Disabled and certain SecureBoot EFI related variables are not visibile, but the system does boot with EFI Secure Boot enabled

Note: I found the idea of sedn: hxxps://wejn.org/2021/09/fixing-grub-verification-requested-nobody-cares/

Does anybody know how to resolve this mess with grub and Secure Boot properly?

Last edited by nvaert1986 on Thu Apr 06, 2023 7:35 am; edited 1 time in total
Back to top
View user's profile Send private message
nvaert1986
Tux's lil' helper
Tux's lil' helper


Joined: 05 May 2019
Posts: 124
PostPosted: Thu Apr 06, 2023 7:35 am    Post subject: Reply with quote
I've been able to resolve my issue by using Fedora's signed shim64.efi and adding the --sbat sbat.csv parameter when generating my grub EFI image. This resolved the issue and now my system boots in UEFI Secure Boot mode. The shimx64.efi is signed by Microsoft and since I added the Microsoft certificate to my signed certificate database (using sbctl), my system is functioning correctly now.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy