Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
kernel update removing Windows EFI /w secureboot + grub
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
g0rg0n
Tux's lil' helper
Tux's lil' helper


Joined: 18 Feb 2006
Posts: 98

PostPosted: Thu Aug 15, 2024 12:37 pm    Post subject: kernel update removing Windows EFI /w secureboot + grub Reply with quote

Users dual booting with Windows 11, how do you manage kernel upgrade with secureboot?

I updated kernel today and Windows was removed from UEFI boot list.

I was able to boot into Windows since Grub is able to chainload it but it meant unlocking BitLocker twice - once when I boot into Windows, another when Windows automatically updates UEFI boot list.

I suspect grub-install is the root cause since when I initially tried to setup secureboot, grub-install kept removing shim from UEFI boot list. (originally, https://wiki.gentoo.org/wiki/Shim was instructing to use grub-install to generate grubx64.efi and sign it manually with sbsign)

Has anyone encountered similar issues?
Code:
theoffice ~ # emerge -vp installkernel gentoo-kernel grub

These are the packages that would be merged, in order:

Calculating dependencies... done!
Dependency resolution took 1.98 s (backtrack: 0/20).

[ebuild   R    ] sys-boot/grub-2.12-r5:2/2.12-r5::gentoo  USE="fonts mount nls secureboot themes truetype verify-sig -device-mapper -doc -efiemu -libzfs -sdl (-test)" GRUB_PLATFORMS="efi-64 -coreboot -efi-32 -emu -ieee1275 (-loongson) -multiboot -pc -qemu (-qemu-mips) -uboot -xen -xen-32 -xen-pvh" 0 KiB
[ebuild   R    ] sys-kernel/installkernel-48-r1::gentoo  USE="dracut grub -efistub -refind -systemd -systemd-boot -ugrd -uki -ukify" 0 KiB
[ebuild   R    ] sys-kernel/gentoo-kernel-6.10.4:6.10.4::gentoo  USE="initramfs modules-sign secureboot strip -debug -generic-uki -hardened -modules-compress -savedconfig -test" 0 KiB

Total: 3 packages (3 reinstalls), Size of downloads: 0 KiB
theoffice ~ #

_________________
nicewarm.coffee
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 429
Location: Nijmegen

PostPosted: Thu Aug 15, 2024 12:48 pm    Post subject: Reply with quote

This sounds like a weird firmware issue (it's not at all uncommon for an UEFI to be a bit "buggy"), grub-install should not change any non-grub entries.

When (re-)installing grub over an already installed grub you can use the '--no-vram' argument to instruct grub-install to not touch the EFI variables. This is usually fine since the path of the (re-)installed grub does not change and therefore the boot entry does not need updating.

Note also that you do not have to re-install grub when updating the kernel, even if secureboot is enabled.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 494

PostPosted: Thu Aug 15, 2024 1:19 pm    Post subject: Reply with quote

AndrewAmmerlaan wrote:
When (re-)installing grub over an already installed grub you can use the '--no-vram' argument to instruct grub-install to not touch the EFI variables.


There is a typo, the option is
Code:
--no-nvram
Back to top
View user's profile Send private message
g0rg0n
Tux's lil' helper
Tux's lil' helper


Joined: 18 Feb 2006
Posts: 98

PostPosted: Sun Aug 18, 2024 3:08 pm    Post subject: Reply with quote

AndrewAmmerlaan wrote:
This sounds like a weird firmware issue (it's not at all uncommon for an UEFI to be a bit "buggy"), grub-install should not change any non-grub entries.

When (re-)installing grub over an already installed grub you can use the '--no-vram' argument to instruct grub-install to not touch the EFI variables. This is usually fine since the path of the (re-)installed grub does not change and therefore the boot entry does not need updating.

Note also that you do not have to re-install grub when updating the kernel, even if secureboot is enabled.


I've updated to kernel to 6.10.5 today and still the same behavior (note, all I'm doing is updating kernel, no grub-install / grub-mkconfig):

- after the kernel update, efibootmgr shows shim, grub, Windows and UEFI
- reboot causes a POST failure, reporting that the system is missing a disk
- after a power cycle, system boots okay but with Windows EFI deleted

It does sound like a firmware issue since kernel update with secureboot seems to trigger a POST failure.. I think I'm gonna have to disable secureboot and Windows BitLocker;
_________________
nicewarm.coffee
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 429
Location: Nijmegen

PostPosted: Sun Aug 18, 2024 3:37 pm    Post subject: Reply with quote

Quote:
reboot causes a POST failure, reporting that the system is missing a disk


This is a bit strange since at no point in a kernel update are the efi variables touched (unless you're efistub booting but that is not the case here)

Is it failing to post when loading shim or when loading grub? I also wonder if it would make any difference if you mount the efi variables read-only, or not at all, that way it should be impossible for the system to modify the UEFI in any way.

As you've already noted, we recently introduced a slightly simpler method of using secureboot with grub (via USE=secureboot, and simple cp), are you using this new method? Or are you using the "old" method of grub-install+sbsign? The new method worked fine on my system when I tested it, but it relies on grub-mkstandalone and it might be that there is some issue with this standalone image where it is unable to locate/read your disk(s).
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
g0rg0n
Tux's lil' helper
Tux's lil' helper


Joined: 18 Feb 2006
Posts: 98

PostPosted: Mon Aug 19, 2024 2:59 am    Post subject: Reply with quote

AndrewAmmerlaan wrote:
Quote:
reboot causes a POST failure, reporting that the system is missing a disk


This is a bit strange since at no point in a kernel update are the efi variables touched (unless you're efistub booting but that is not the case here)

Is it failing to post when loading shim or when loading grub? I also wonder if it would make any difference if you mount the efi variables read-only, or not at all, that way it should be impossible for the system to modify the UEFI in any way.

As you've already noted, we recently introduced a slightly simpler method of using secureboot with grub (via USE=secureboot, and simple cp), are you using this new method? Or are you using the "old" method of grub-install+sbsign? The new method worked fine on my system when I tested it, but it relies on grub-mkstandalone and it might be that there is some issue with this standalone image where it is unable to locate/read your disk(s).


I've initially setup with the old method but now using the simpler method - USE="secureboot modules-sign", /usr/lib/grub/grub-x86_64.efi.signed is copied to /boot/efi/EFI/gentoo/, and GRUB_CFG=/boot/efi/EFI/gentoo/grub.cfg

Strangely, I did Windows 11 update after disabling the BitLocker and it caused another POST, removing Windows EFI. :?

POST failure occurs as soon as the laptop restarts, I don't even see the BIOS loading screen.
_________________
nicewarm.coffee
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 429
Location: Nijmegen

PostPosted: Mon Aug 19, 2024 6:53 am    Post subject: Reply with quote

It could be that there is some corruption on the EFI System Partition, this could cause the UEFI to fail to find the disk and maybe to delete entries associated with that disk. Could you try running fsck or chkdsk (windows equivalent) on that partition?
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
g0rg0n
Tux's lil' helper
Tux's lil' helper


Joined: 18 Feb 2006
Posts: 98

PostPosted: Tue Aug 20, 2024 11:15 am    Post subject: Reply with quote

AndrewAmmerlaan wrote:
It could be that there is some corruption on the EFI System Partition, this could cause the UEFI to fail to find the disk and maybe to delete entries associated with that disk. Could you try running fsck or chkdsk (windows equivalent) on that partition?


Just ran fsck and there was a dirty bit set from the unclean mount.

Code:

theoffice ~ # lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 477.5G  0 disk
└─mmcblk0p1 179:1    0 477.5G  0 part
zram0       252:0    0     0B  0 disk
zram1       252:1    0     0B  0 disk
zram2       252:2    0    14G  0 disk /var/tmp
nvme0n1     259:0    0 476.9G  0 disk
├─nvme0n1p1 259:1    0   100M  0 part /boot/efi
├─nvme0n1p2 259:2    0    16M  0 part
├─nvme0n1p3 259:3    0 254.4G  0 part
├─nvme0n1p4 259:4    0   1.4G  0 part
├─nvme0n1p5 259:5    0   512M  0 part /boot
├─nvme0n1p6 259:6    0     4G  0 part [SWAP]
└─nvme0n1p7 259:7    0 216.4G  0 part /

theoffice ~ # fsck.vfat -a /dev/nvme0n1p1
fsck.fat 4.2 (2021-01-31)
There are differences between boot sector and its backup.
This is mostly harmless. Differences: (offset:original/backup)
  65:01/00
  Not automatically fixing this.
Dirty bit is set. Fs was not properly unmounted and some data may be corrupt.
 Automatically removing dirty bit.

*** Filesystem was changed ***
Writing changes.
/dev/nvme0n1p1: 215 files, 57593/98304 clusters

theoffice ~ # fsck.vfat -a /dev/nvme0n1p1
fsck.fat 4.2 (2021-01-31)
/dev/nvme0n1p1: 215 files, 57593/98304 clusters
theoffice ~ #


i'll re-enable secureboot when 6.10.7 lands since i just merged 6.10.6
_________________
nicewarm.coffee
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum