View previous topic :: View next topic |
Author |
Message |
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 10
|
Posted: Sat Dec 14, 2024 5:11 pm Post subject: GRUB cannot boot with secure boot |
|
|
#######
PROBLEM
#######
I'm trying to use secure boot with my setup, but I keep getting errors in GRUB.
#####
SETUP
#####
My setup is the following:
Drive Partition_name Mountpoint
/dev/sda
|-/dev/sda1 EFI System /efi
|-/dev/sda2 Linux extended boot /boot
`-/dev/sda3 Linx filesystem
sda1 is the ESP where the '.efi' file is /efi/EFI/BOOT/BOOTX64.EFI
sda2 is the XBOOT that contains:
|-grub/
|-amd-uc.img
|-intel-uc.img
|-System.map-x.y.z-gentoo
|-config-x.y.z-gentoo
|-initramfs-x.y.z-gentoo.img
`-vmlinuz-x.y.z-gentoo
sda3 is the encrypted root.
sys-kernel/installkernel is compiled with:
USE="dracut grub"
sys-boot/grub is compiled with:
USE="device-mapper fonts nls secureboot themes"
GRUB_PLATFORMS="efi-64"
GRUB is installed with the following command:
Code: | grub-install --removable --target=x86_64-efi --efi-directory=/efi |
I compile my own kernel from sys-kernel/gentoo-sources.
The current setup works -- I use the installkernel script to configure Dracut and GRUB when I run 'make install'.
###################################
TRYING TO USE SECURE BOOT ATTEMPT 1
###################################
I followed the instructions on the "Secure Boot" wiki page up to section "Signing Boot Files":
- set SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT in make.conf
- make my own keys
- sign my keys
- install my keys to the UEFI
The "Signing Boot Files" section does not explain well what files need to be signed, it only shows the kernel being
signed and only talks about UKI and initramfs. I signed what I could and signed:
- /efi/EFI/BOOT/BOOTX64.EFI
- /boot/vmlinuz-x.y.z-gentoo
with
Code: | sbsign --cert my_db.crt --key my_db.key <efi file> --output <efi file> |
I also checked they were signed with the right key with 'sbverify'.
When I try to boot, the GRUB menu doesn't show up and I'm given:
Code: | error: prohibited by secure boot policy.
Entering rescue mode...
grub rescue> |
###################################
TRYING TO USE SECURE BOOT ATTEMPT 2
###################################
When I install sys-boot/grub with USE="secureboot", there is a message stating that it makes the signed standalone
GRUB executables in /usr/lib/grub/grub-<target>.efi(.signed) and that these executables need the grub.cfg file
in the same directory.
So I ran the following commands:
Code: | export GRUB_CFG=/efi/EFI/BOOT/grub.cfg
cd /usr/src/linux
make install
cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/BOOT/BOOTX64.EFI
sbsign --cert my_db.crt --key my_db.key /boot/vmlinuz-x.y.z-gentoo --output /boot/vmlinuz-x.y.z-gentoo |
I verified the efi and kernel were both signed and rebooted. The GRUB menu showed up like normal and gave me the
usual options:
Code: | Gentoo GNU/Linux
Advanced options for Gentoo GNU/Linux
UEFI Firmware Settings |
But when I tried to boot Gentoo, I get the following error:
Code: | Loading Linux x.y.z-gentoo ...
error: shim_lock protocol not found.
Loading initial ramdisk ...
error: you need to load the kernel first.
Press any key to continue... |
I did some more research, but everyone seems to have their own solution that only applies to them:
- some say use UKI
- some say build the initramfs into the kernel
- something something GRUB modules
- grub-install options
I tried various solutions, but nothing seems to work. |
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 439
|
Posted: Sat Dec 14, 2024 5:41 pm Post subject: |
|
|
My solution is to disable it entirely. I assume you have decided that you are at high risk of unauthorized code execution, a bootkit, or some sort of malware that specifically affects your Linux installation. My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it?
Do you have reason to believe that your system integrity is at risk and need to verify it every time you boot?
If you do not need it after all, then simply disable it. If you feel you %100 require it or benefit from it for your use case, then proceed.
Obviously, if you must dual-boot with Windows for some reason, it may be difficult to avoid. Otherwise it is optional. |
|
Back to top |
|
|
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 10
|
Posted: Sat Dec 14, 2024 6:24 pm Post subject: |
|
|
Quote: | My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it? |
Yes. |
|
Back to top |
|
|
Child_of_Sun_24 l33t
Joined: 28 Jul 2004 Posts: 603
|
Posted: Sat Dec 14, 2024 6:31 pm Post subject: |
|
|
I use secureboot with sys-boot/shim and it works with dual-boot windows.
https://wiki.gentoo.org/wiki/Shim
Here is everything discribed what you need for it. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5215 Location: Bavaria
|
|
Back to top |
|
|
rab0171610 Guru
Joined: 24 Dec 2022 Posts: 439
|
Posted: Sat Dec 14, 2024 7:33 pm Post subject: |
|
|
FlyingBullets wrote: | Quote: | My question, seeing your exhaustive efforts to enable and troubleshoot secure boot, is are you sure you really need it? |
Yes. |
Perfectly understandable. I wanted to put it out there because it is a valid question that users should be asking themselves before spending the time and effort in setting it up and troubleshooting -- as might be the case for other users who read this post in the future. |
|
Back to top |
|
|
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 10
|
Posted: Sat Dec 14, 2024 8:01 pm Post subject: |
|
|
Quote: | I use secureboot with sys-boot/shim... |
I don't want to use shim; I want to use my own keys.
Quote: | If you need an initramfs (because your root partition is encrypted) then USE an embedded initramfs. |
I'm going to try several things:
- Dracut has some uefi parameters to embed the initramfs Update: I don't think this does what I think it does.
- Using an EFI Stub to be loaded by GRUB
- UKI
Quote: | If it is grub - and UEFI has started your grub, ANYTHING else is THEN the job of grub. |
That's how I want things to be handled; I want to keep using GRUB so that I can switch between kernels in case I mess something up; I don't want to boot directly into a kernel. I get that all executables should be signed, but that didn't work.
What I would like to know is why GRUB is giving me this "shim_lock" error.
Update:
The "EFI Stub" wiki page is not helpful in learning how to actually embed an initramfs, it only talks about the subject and something about CPIO files. It says that Dracut can make them, but I can't find anything in the Dracut man pages about ".cpio" files. Also, I'm being told to set CONFIG_INITRAMFS_SOURCE=/usr/src/initramfs ...but that doesn't exist? |
|
Back to top |
|
|
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 10
|
Posted: Sat Dec 14, 2024 9:10 pm Post subject: |
|
|
As a sanity check, I made a UKI by following the instructions on the "Unified kernel image" wiki page; I was able to boot with secure boot, but I had to boot directly into the kernel.
I'm still working on getting GRUB to work. |
|
Back to top |
|
|
zen_desu n00b
Joined: 25 Oct 2024 Posts: 53
|
Posted: Sat Dec 14, 2024 9:12 pm Post subject: |
|
|
If you want to embed a CPIO archive into the kernel, you must remove compression on that file if there is any.
If you want to embed a dracut initramfs into the kernel, I think you have to use special tools to extract it because Dracut makes a "layered" CPIO for early microcode.
Once extracted, you can point CONFIG_INITRAMFS_SOURCE to the directory containing the extracted initramfs.
You do not need to embed the initramfs for secure boot. This just ensures the initramfs is signed because the whole kernel (containing the initramfs) is signed.
A more straightforward method is to use a UKI.
FlyingBullets wrote: | As a sanity check, I made a UKI by following the instructions on the "Unified kernel image" wiki page; I was able to boot with secure boot, but I had to boot directly into the kernel.
I'm still working on getting GRUB to work. |
I would just do this tbh. Getting GRUB to work with SB is a bit of a pain. If you can directly boot into the kernel, why not do that? _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5215 Location: Bavaria
|
Posted: Sat Dec 14, 2024 9:25 pm Post subject: |
|
|
zen_desu wrote: | If you want to embed a CPIO archive into the kernel, you must remove compression on that file if there is any. [...] |
Are you sure? I ask because /usr/src/linux/usr/Makefile says:
Code: | # If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio, use it directly as an initramfs.
ifneq ($(filter %.cpio,$(ramfs-input)),)
cpio-data := $(ramfs-input)
endif
# If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio.*, use it directly as an initramfs, and avoid double compression.
ifeq ($(words $(subst .cpio.,$(space),$(ramfs-input))),2)
cpio-data := $(ramfs-input)
compress-y := copy
endif |
... see the 2nd part -> # .cpio.*
and in my article I wrote:
Quote: | It is important to use suffix .cpio so "make" understand it is a CPIO file !
It is important to use suffix .cpio.gz so "make" understand it is an already gzipped CPIO file |
_________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
zen_desu n00b
Joined: 25 Oct 2024 Posts: 53
|
Posted: Sat Dec 14, 2024 9:37 pm Post subject: |
|
|
pietinger wrote: | zen_desu wrote: | If you want to embed a CPIO archive into the kernel, you must remove compression on that file if there is any. [...] |
Are you sure? I ask because /usr/src/linux/usr/Makefile says:
Code: | # If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio, use it directly as an initramfs.
ifneq ($(filter %.cpio,$(ramfs-input)),)
cpio-data := $(ramfs-input)
endif
# If CONFIG_INITRAMFS_SOURCE specifies a single file, and it is suffixed with
# .cpio.*, use it directly as an initramfs, and avoid double compression.
ifeq ($(words $(subst .cpio.,$(space),$(ramfs-input))),2)
cpio-data := $(ramfs-input)
compress-y := copy
endif |
... see the 2nd part -> # .cpio.*
and in my article I wrote:
Quote: | It is important to use suffix .cpio so "make" understand it is a CPIO file !
It is important to use suffix .cpio.gz so "make" understand it is an already gzipped CPIO file |
|
Ah that explains why I had issues in the past. Initramfs images are often installed with a .img suffix. I don't recall if this worked when it was a plain CPIO, but I definitely had issues when the compression extension was not included, as it often is not. _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
FlyingBullets n00b
Joined: 19 Mar 2024 Posts: 10
|
Posted: Sat Dec 14, 2024 10:01 pm Post subject: |
|
|
Quote: | If you can directly boot into the kernel, why not do that? |
I would like to have a menu of different kernels to select from when I boot the machine. If a new kernel build doesn't boot, I can easily select another one. Although, using a UKI means that only one file has to be unencrypted outside of full disk encryption, I can keep everything in /boot on the same partition as root. But that shouldn't matter as long as the GRUB efi and kernel (with embedded initramfs) are signed right? There shouldn't be any holes in the boot chain right?
Quote: | I think you have to use special tools to extract it because Dracut makes a "layered" CPIO for early microcode. |
Dracut makes files with extension ".img", is there a way to convert them to ".cpio"? I tried setting CONFIG_INITRAMFS_SOURCE=/usr/lib/dracut and it didn't error, but I was still unable to achieve my goal. |
|
Back to top |
|
|
zen_desu n00b
Joined: 25 Oct 2024 Posts: 53
|
Posted: Sat Dec 14, 2024 10:08 pm Post subject: |
|
|
If your system has a boot menu, you can use that. I do that on most of my systems, I can press f12 or whatever to see boot options and change which kernel version I'm booting into.
You can also install an EDK2 shell to your ESP if your UEFI doesn't have similar. Using that, you can boot any kernel/initramfs/cmdline you want.
Technically a UKI means you only need a single unencrypted file, but it has components equivalent to multiple files, more or less. You can almost treat it like a self extracting archive. When it runs, it extracts parts such as the kernel/initramfs from itself.
It being a single file mostly helps with signing as only a single file must be signed.
I think you can simply change the extension of the dracut ".img" to ".cpio.zstd" for example, if it uses zstd compression.
CONFIG_INITRAMFS_SOURCE should target either the initramfs file (properly suffixed) or a directory containing the initramfs tree which will be packed as part of the kernel build process. _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
|