Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
GRUB cannot boot with secure boot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 10

PostPosted: Sat Dec 14, 2024 5:11 pm    Post subject: GRUB cannot boot with secure boot Reply with quote

#######
PROBLEM
#######

I'm trying to use secure boot with my setup, but I keep getting errors in GRUB.

#####
SETUP
#####

My setup is the following:
Drive Partition_name Mountpoint
/dev/sda
|-/dev/sda1 EFI System /efi
|-/dev/sda2 Linux extended boot /boot
`-/dev/sda3 Linx filesystem

sda1 is the ESP where the '.efi' file is /efi/EFI/BOOT/BOOTX64.EFI

sda2 is the XBOOT that contains:
|-grub/
|-amd-uc.img
|-intel-uc.img
|-System.map-x.y.z-gentoo
|-config-x.y.z-gentoo
|-initramfs-x.y.z-gentoo.img
`-vmlinuz-x.y.z-gentoo

sda3 is the encrypted root.

sys-kernel/installkernel is compiled with:
USE="dracut grub"

sys-boot/grub is compiled with:
USE="device-mapper fonts nls secureboot themes"
GRUB_PLATFORMS="efi-64"

GRUB is installed with the following command:
Code:
grub-install --removable --target=x86_64-efi --efi-directory=/efi


I compile my own kernel from sys-kernel/gentoo-sources.

The current setup works -- I use the installkernel script to configure Dracut and GRUB when I run 'make install'.

###################################
TRYING TO USE SECURE BOOT ATTEMPT 1
###################################

I followed the instructions on the "Secure Boot" wiki page up to section "Signing Boot Files":
- set SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT in make.conf
- make my own keys
- sign my keys
- install my keys to the UEFI

The "Signing Boot Files" section does not explain well what files need to be signed, it only shows the kernel being
signed and only talks about UKI and initramfs. I signed what I could and signed:
- /efi/EFI/BOOT/BOOTX64.EFI
- /boot/vmlinuz-x.y.z-gentoo
with
Code:
sbsign --cert my_db.crt --key my_db.key <efi file> --output <efi file>


I also checked they were signed with the right key with 'sbverify'.

When I try to boot, the GRUB menu doesn't show up and I'm given:
Code:
error: prohibited by secure boot policy.
Entering rescue mode...
grub rescue>


###################################
TRYING TO USE SECURE BOOT ATTEMPT 2
###################################

When I install sys-boot/grub with USE="secureboot", there is a message stating that it makes the signed standalone
GRUB executables in /usr/lib/grub/grub-<target>.efi(.signed) and that these executables need the grub.cfg file
in the same directory.

So I ran the following commands:
Code:
export GRUB_CFG=/efi/EFI/BOOT/grub.cfg
cd /usr/src/linux
make install
cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/BOOT/BOOTX64.EFI
sbsign --cert my_db.crt --key my_db.key /boot/vmlinuz-x.y.z-gentoo --output /boot/vmlinuz-x.y.z-gentoo


I verified the efi and kernel were both signed and rebooted. The GRUB menu showed up like normal and gave me the
usual options:
Code:
Gentoo GNU/Linux
Advanced options for Gentoo GNU/Linux
UEFI Firmware Settings


But when I tried to boot Gentoo, I get the following error:
Code:
Loading Linux x.y.z-gentoo ...
error: shim_lock protocol not found.
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...


I did some more research, but everyone seems to have their own solution that only applies to them:
- some say use UKI
- some say build the initramfs into the kernel
- something something GRUB modules
- grub-install options

I tried various solutions, but nothing seems to work.
Back to top
View user's profile Send private message
rab0171610
Guru
Guru


Joined: 24 Dec 2022
Posts: 439

PostPosted: Sat Dec 14, 2024 5:41 pm    Post subject: Reply with quote

My solution is to disable it entirely. I assume you have decided that you are at high risk of unauthorized code execution, a bootkit, or some sort of malware that specifically affects your Linux installation. My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it?
Do you have reason to believe that your system integrity is at risk and need to verify it every time you boot?
If you do not need it after all, then simply disable it. If you feel you %100 require it or benefit from it for your use case, then proceed.
Obviously, if you must dual-boot with Windows for some reason, it may be difficult to avoid. Otherwise it is optional.
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 10

PostPosted: Sat Dec 14, 2024 6:24 pm    Post subject: Reply with quote

Quote:
My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it?


Yes.
Back to top
View user's profile Send private message
Child_of_Sun_24
l33t
l33t


Joined: 28 Jul 2004
Posts: 603

PostPosted: Sat Dec 14, 2024 6:31 pm    Post subject: Reply with quote

I use secureboot with sys-boot/shim and it works with dual-boot windows.

https://wiki.gentoo.org/wiki/Shim

Here is everything discribed what you need for it.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5218
Location: Bavaria

PostPosted: Sat Dec 14, 2024 7:03 pm    Post subject: Re: GRUB cannot boot with secure boot Reply with quote

FlyingBullets,

SecureBoot means: Your UEFI verify the signature of the FIRST application it starts. This can be a bootloader/-manager OR a Linux kernel (or Windows). If it is grub - and UEFI has started your grub, ANYTHING else is THEN the job of grub. This means: If you dont want that somebody exchange your kernel then you must configure GRUB so that it verify ALSO your kernel. There was a description for this in our forum (at first glance it was very complicated) and I had forgotten it ... because the simplest way (for me) WHEN using SecureBoot is: Start your signed kernel directly via UEFI ... ;-)

In this article is also a link to my (manually) SecureBoot solution:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Boot_kernel_via_UEFI

Another story is ... a UKI ... If you need SecureBoot you should not use a kernel WITH an external initramfs. If you need an initramfs (because your root partition is encrypted) then USE an embedded initramfs. You have two choices to do this:

1. Automatically with installkernel, or
2. Manually: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Initramfs_Overview#Special_Case:_Building_an_embedded_initramfs_with_a_CPIO_archive

FlyingBullets wrote:
[...] I compile my own kernel from sys-kernel/gentoo-sources.

Maybe you are interested in this:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Manual_kernel_configuration
https://wiki.gentoo.org/wiki/User:Pietinger/Experimental/Manual_Configuring_Current_Kernel
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
rab0171610
Guru
Guru


Joined: 24 Dec 2022
Posts: 439

PostPosted: Sat Dec 14, 2024 7:33 pm    Post subject: Reply with quote

FlyingBullets wrote:
Quote:
My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it?


Yes.

Perfectly understandable. I wanted to put it out there because it is a valid question that users should be asking themselves before spending the time and effort in setting it up and troubleshooting -- as might be the case for other users who read this post in the future.
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 10

PostPosted: Sat Dec 14, 2024 8:01 pm    Post subject: Reply with quote

Quote:
I use secureboot with sys-boot/shim...

I don't want to use shim; I want to use my own keys.

Quote:
If you need an initramfs (because your root partition is encrypted) then USE an embedded initramfs.

I'm going to try several things:
- Dracut has some uefi parameters to embed the initramfs Update: I don't think this does what I think it does.
- Using an EFI Stub to be loaded by GRUB
- UKI

Quote:
If it is grub - and UEFI has started your grub, ANYTHING else is THEN the job of grub.


That's how I want things to be handled; I want to keep using GRUB so that I can switch between kernels in case I mess something up; I don't want to boot directly into a kernel. I get that all executables should be signed, but that didn't work.

What I would like to know is why GRUB is giving me this "shim_lock" error.

Update:
The "EFI Stub" wiki page is not helpful in learning how to actually embed an initramfs, it only talks about the subject and something about CPIO files. It says that Dracut can make them, but I can't find anything in the Dracut man pages about ".cpio" files. Also, I'm being told to set CONFIG_INITRAMFS_SOURCE=/usr/src/initramfs ...but that doesn't exist?
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 10

PostPosted: Sat Dec 14, 2024 9:10 pm    Post subject: Reply with quote

As a sanity check, I made a UKI by following the instructions on the "Unified kernel image" wiki page; I was able to boot with secure boot, but I had to boot directly into the kernel.

I'm still working on getting GRUB to work.
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 53

PostPosted: Sat Dec 14, 2024 9:12 pm    Post subject: Reply with quote

If you want to embed a CPIO archive into the kernel, you must remove compression on that file if there is any.

If you want to embed a dracut initramfs into the kernel, I think you have to use special tools to extract it because Dracut makes a "layered" CPIO for early microcode.

Once extracted, you can point CONFIG_INITRAMFS_SOURCE to the directory containing the extracted initramfs.

You do not need to embed the initramfs for secure boot. This just ensures the initramfs is signed because the whole kernel (containing the initramfs) is signed.

A more straightforward method is to use a UKI.

FlyingBullets wrote:
As a sanity check, I made a UKI by following the instructions on the "Unified kernel image" wiki page; I was able to boot with secure boot, but I had to boot directly into the kernel.

I'm still working on getting GRUB to work.


I would just do this tbh. Getting GRUB to work with SB is a bit of a pain. If you can directly boot into the kernel, why not do that?
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5218
Location: Bavaria

PostPosted: Sat Dec 14, 2024 9:25 pm    Post subject: Reply with quote

zen_desu wrote:
If you want to embed a CPIO archive into the kernel, you must remove compression on that file if there is any. [...]

Are you sure? I ask because /usr/src/linux/usr/Makefile says:
Code:
# If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio, use it directly as an initramfs.
ifneq ($(filter %.cpio,$(ramfs-input)),)
cpio-data := $(ramfs-input)
endif

# If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio.*, use it directly as an initramfs, and avoid double compression.
ifeq ($(words $(subst .cpio.,$(space),$(ramfs-input))),2)
cpio-data := $(ramfs-input)
compress-y := copy
endif

... see the 2nd part -> # .cpio.*

and in my article I wrote:
Quote:
It is important to use suffix .cpio so "make" understand it is a CPIO file !

It is important to use suffix .cpio.gz so "make" understand it is an already gzipped CPIO file

_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 53

PostPosted: Sat Dec 14, 2024 9:37 pm    Post subject: Reply with quote

pietinger wrote:
zen_desu wrote:
If you want to embed a CPIO archive into the kernel, you must remove compression on that file if there is any. [...]

Are you sure? I ask because /usr/src/linux/usr/Makefile says:
Code:
# If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio, use it directly as an initramfs.
ifneq ($(filter %.cpio,$(ramfs-input)),)
cpio-data := $(ramfs-input)
endif

# If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio.*, use it directly as an initramfs, and avoid double compression.
ifeq ($(words $(subst .cpio.,$(space),$(ramfs-input))),2)
cpio-data := $(ramfs-input)
compress-y := copy
endif

... see the 2nd part -> # .cpio.*

and in my article I wrote:
Quote:
It is important to use suffix .cpio so "make" understand it is a CPIO file !

It is important to use suffix .cpio.gz so "make" understand it is an already gzipped CPIO file


Ah that explains why I had issues in the past. Initramfs images are often installed with a .img suffix. I don't recall if this worked when it was a plain CPIO, but I definitely had issues when the compression extension was not included, as it often is not.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 10

PostPosted: Sat Dec 14, 2024 10:01 pm    Post subject: Reply with quote

Quote:
If you can directly boot into the kernel, why not do that?

I would like to have a menu of different kernels to select from when I boot the machine. If a new kernel build doesn't boot, I can easily select another one. Although, using a UKI means that only one file has to be unencrypted outside of full disk encryption, I can keep everything in /boot on the same partition as root. But that shouldn't matter as long as the GRUB efi and kernel (with embedded initramfs) are signed right? There shouldn't be any holes in the boot chain right?

Quote:
I think you have to use special tools to extract it because Dracut makes a "layered" CPIO for early microcode.

Dracut makes files with extension ".img", is there a way to convert them to ".cpio"? I tried setting CONFIG_INITRAMFS_SOURCE=/usr/lib/dracut and it didn't error, but I was still unable to achieve my goal.
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 53

PostPosted: Sat Dec 14, 2024 10:08 pm    Post subject: Reply with quote

If your system has a boot menu, you can use that. I do that on most of my systems, I can press f12 or whatever to see boot options and change which kernel version I'm booting into.
You can also install an EDK2 shell to your ESP if your UEFI doesn't have similar. Using that, you can boot any kernel/initramfs/cmdline you want.

Technically a UKI means you only need a single unencrypted file, but it has components equivalent to multiple files, more or less. You can almost treat it like a self extracting archive. When it runs, it extracts parts such as the kernel/initramfs from itself.

It being a single file mostly helps with signing as only a single file must be signed.

I think you can simply change the extension of the dracut ".img" to ".cpio.zstd" for example, if it uses zstd compression.

CONFIG_INITRAMFS_SOURCE should target either the initramfs file (properly suffixed) or a directory containing the initramfs tree which will be packed as part of the kernel build process.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum