Boot problem since new version grub 2.12

[hktonky]

Good morning
I have a problem since version 2.12 of grub.
I have been working for several years on a gentoo version installed on encrypted USB media and it works perfectly.
The classic principle is to add a line in the /etc/default/grub file to indicate to the system that the root is on a quit partition which must first be decrypted by a cryptsetup command:

GRUB_CMDLINE_LINUX="scandelay=3 quiet crypt_root=UUID=xxxxxxxxxxxxxxxxxx video.use_native_backlight=1 psmouse.proto=imps keymap=fr noresume dokeymap video=uvesafb:1366x768-32,mtrr:3,ywrap splash=verbose,theme:emerge-world radeon .audio=1 amdgpu.dc=1 rootfstype=ext4"

In the event of a kernel change, I operate the migration with the sequence of commands:

[eeckwrk99]

After updating to 2.12, you should re-install GRUB with:

[hktonky]

Good evening
Sorry, it doesn't change anything. I always get the same mistake

[sMueggli]

Does it boot if you disable Secure Boot?

[hktonky]

Good evening
The boot works perfectly if we deactivate the secure start.

[sMueggli]

If it works with Secure Boot disabled, you can choose between disabling Secure Boot permanently or creating a correctly signed binary.

I think your Grub binary is missing some modules. I would start with

[hktonky]

Thank you for your help.
I checked the modules between version 2.06 which works and version 2.12.
They are exactly the same: none of them seem to be missing.

[sMueggli]

[hktonky]

You are right.
The BLI module is loaded by the config file 25_xxxx in /etc/grub.d/
But whether this module is loaded or not doesn't change anything (I tried it in both cases) and that's the only difference between
the modules loaded by 2.12 and the ones loaded 2.06.

[hktonky]

I finally found the solution.

The difference between GRUB 2.12 and GRUB 2.06 is that the kernel must be load by the EFI bootloader and not by GRUB directly.
It is therefore necessary to sign it with the key to the EFI Secureboot store.
But it is also necessary to sign the kernel with the GPG key used by GRUB (disable-shim-lock option used).

We therefore obtain the sequence of the following commands :

<grub-mkconfig -o /boot/grub/grub.cfg> to generate the grub.cfg file

<gpg --default-Key mykey --detach-sign grub.cfg> to sign the grub.cfg file

<grub-mkstandalone --output =/boot/efi/boot/bootx64.efi --format = x86_64 --efi-modules = "part_gpt part_msdos fat ext2 Linux normal Search Search_fs_uuid Loadenv minicmd luks cryptodisk all_video cpio reboot sleep bli configfile password_PBKDF2 gcry_sha256 gcry_sha512 gcry_dsa gcry_dsa" --pubkey =mykey.pub ---disable-shim-lock /boot/grub/grub.cfg=/boot/grub/grub.cfg grub.cfg.sig=/boot/grub/grub.cfg.sig> to generate the loader bootx64.efi

<sgsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output vmlinuz-6.8.5-gento-r1-x86_64 vmlinuz-6.8.5-gento-r1-x86_64> To sign the kernel with the keys to the EFI store

<gpg --default-key mykey --detach-sign vmlinuz-6.8.5-gento-r1-x86_64> To sign the kernel with the PGP key used by GRUB
(Be careful not to reverse the order of the last two lignes)

<cd /boot/efi/efi/boot
sbsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output bootx64.efi bootx64.efi> to finally sign the loader bootx64.efi with the keys to the EFI store.

It was this double signature of the kernel that I was missing.