| View previous topic :: View next topic |
| Author |
Message |
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 93
|
 Posted: Wed Oct 30, 2024 2:20 am Post subject: Problem installing sys-boot/grub with secureboot option |
 |
|
I have two problems whilte installing sys-boot/grub with secureboot flag. I placed the entries in the make.conf file
| Code: | SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt" |
During installation, sys-boot/grub finds mypath/file.key and asks me to enter the password.
Problem 1: Password entry is not hidden. When digitally signing the UKI kernel with dracut, the prompt is hidden. I would like it to be like this, otherwise I will leave my password in the console logs with each grub installation.
Problem 2: After entering the password, nothing happens. Signing UKi using dracut takes seoncds. In this case, after 20 minutes still nothing minutes. Htop shows the minimum CPU consumption. Something is probably wrong here, or maybe grub takes so long for some reason? I'll wait even longer, but I don't think the installation will go any further. (Edit: Even after 3 hours nothing moved).
My password is not wrong. I double check my key with
| Code: | | oepnssl rsa -in mypath/file.key -check |
and after entering the password the result is RSA key OK. |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 22578
|
| Posted: Wed Oct 30, 2024 1:52 pm Post subject: |
|
|
| That suggests to me that the password you typed was never passed to the signing tool, and that it is still waiting for your password. To start, please show us the versions of everything involved: grub, the signing tool, and your sync date (which is relevant to how Portage invokes the signing tool). Also, while the system is paused at that prompt, run ps -efwH, extract the lines for the ebuild and the signing tool, and show those. Check that no passwords are shown before posting. I don't expect them to be there. |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 93
|
| Posted: Wed Oct 30, 2024 4:13 pm Post subject: |
|
|
@Hu: Thanks.
sys-kernel/gentoo-kernel-6.6.58-r1
sys-boot/grub-2.12-r5
app-crypt/sbsigntools-0.9.5
dev-libs/openssl-3.3.2
sys-apps/portage-3.0.65-r1
| Quote: | | Timestamp of repository gentoo: Mon, 28 Oct 2024... |
ps -efwH output
I executed the command in the second terminal when the password prompt appeared. I didn't enter the password this time.
https://bpa.st/AR7IY |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 93
|
| Posted: Wed Oct 30, 2024 7:49 pm Post subject: |
|
|
EDIT: I had to edit my post due to my new observations.
The end of the output when installing grub with secureboot and ECLASS_DEBUG_OUTPUT=on.
| Code: |
...
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: kernel_img=0x7fa6c4991010, kernel_size=0x1c000.
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: the core size is 0xd495d0.
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: reading /var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/share/grub/sbat.csv.
/var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/bin/grub-mkstandalone: info: writing 0xd4d000 bytes. [ ok ]
debug: secureboot_auto_sign: entering function, parameters:
debug: secureboot_sign_efi_file: entering function, parameters: /var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/lib/grub/grub-x86_64.efi /var/tmp/portage/sys-boot/grub-2.12-r5/image/usr/lib/grub/grub-x86_64.efi.signed
debug: _secureboot_die_if_unset: entering function, parameters:
Enter pass phrase for mypath/myfile.key:
|
The line where the installation stops is exactly here https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/secureboot.eclass#n94
| Code: | openssl x509 "${openssl_args[@]}" ||
die "Secure Boot signing certificate or key not found or not PEM format." |
That means and also what we can see in the process list above.
| Code: | | openssl x509 -inform PEM -in mypath/myfile.crt -noout -nocert -keyform PEM -key mypath/myfile.key |
If anyone would like to try and reproduce it. The steps:
1. Create key and crt and enter your symmetric encryption key
| Code: | | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=name" -keyout file.key -out file.crt -days 9999 -sha256 |
2. emerge --ask app-crypt/sbsigntools
3. make.conf
| Code: | SECUREBOOT_SIGN_KEY="mypath/file.key"
SECUREBOOT_SIGN_CERT="mypath/file.crt" |
4. install grub with secureboot flag: USE="secureboot" emerge -a grub
It looks as if the console input could not be passed to openssl when calling it from eclass. Why? Can someone try to reproduce this scenario using the above steps? Is this some kind of portage issue? |
|
| Back to top |
|
|
nxe9
Tux's lil' helper
Joined: 05 Jun 2021
Posts: 93
|
| Posted: Thu Oct 31, 2024 5:35 pm Post subject: |
|
|
The same problem with another package has already been reported.
https://bugs.gentoo.org/935733
The problem is caused by passing input through the sandbox, as I thought. A more detailed technical description https://bugs.gentoo.org/935733#c7
The workaround is to disable the pid-sandbox portage feature. But this is probably not a pretty solution. Can I disable this feature for just one package? I guess portage doesn't offer such options? |
|
| Back to top |
|
|
|
Portage & Programming
