FS#71382 - [grub] 2.06 secure boot broken
Attached to Project:
Arch Linux
Opened by Blake (0xblackhole) - Monday, 28 June 2021, 12:48 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 June 2023, 03:46 GMT
Opened by Blake (0xblackhole) - Monday, 28 June 2021, 12:48 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 June 2023, 03:46 GMT
|
Details
Description:
Grub secure boot (configured with personal certificates) broke my boot sequence since last update to 2.06-1. I was not able to boot my laptop after the last grub package upgrade. Grub reports the following error message: error: verification requested but nobody cares: (cryptouuid/$PARTITION_UUID)/grub/x86_64-efi/normal.mod The issue has already been observed on another bug tracker, however the solution mentioned did not work for me (as I am not using shim), that is why I open a bug over here (as this issue might cause someone else boot to break as well). Related issue:bug-grub@gnu.org/msg17008.html"> https://www.mail-archive.com/bug-grub@gnu.org/msg17008.html Additional info: * core/grub 2:2.06-1 * config and/or log files etc. * link to upstream bug report, if any Steps to reproduce: Sorry I am unable to describe exactly how to reproduce the error as I configured my laptop several years ago. My setup is the following. I enabled secure boot and also enrolled my own certificate. Then the boot sequence is as such: 1. /boot/efi/EFI/grubx64.efi starts -> on a FAT partition there is only that binary, which is signed with my certificate (using sbsign) 2. This grub actually prompts me for a LUKS password to decrypt all the other boot related files (vmlinuz, grub modules ...) 3. All the rest of the boot partition is decrypted (LUKS) and GRUB uses those decrypted files to boot the OS. 4. Archlinux boots up Assumption: I think, since its last upgrade, grub somehow expects (by default) that its own modules are signed when secure boot is enabled. Steps to fix the issue: So far the only thing I found to fix the problem is to downgrade the grub package to version 2.04-9 and ignore grub update in pacman.conf |
This task depends upon
Closed by Toolybird (Toolybird)
Sunday, 11 June 2023, 03:46 GMT
Reason for closing: None
Additional comments about closing: This ticket is stale. And all is covered in the Wiki these days:
https://wiki.archlinux.org/title/Unified _Extensible_Firmware_Interface/Secure_Bo ot#shim_with_key_and_GRUB
Sunday, 11 June 2023, 03:46 GMT
Reason for closing: None
Additional comments about closing: This ticket is stale. And all is covered in the Wiki these days:
https://wiki.archlinux.org/title/Unified _Extensible_Firmware_Interface/Secure_Bo ot#shim_with_key_and_GRUB
This is what you need to do:
* Disable shim verification
* Include all relevant modules in the EFI binary.
Side-loading has been disabled and gives you that error message you see. This has been poorly documented upstream and all distributions that do depend on secure boot + grub has just patched up this issue with a tons of scripts.
https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images?h=ubuntu#n87
There was also a `post_upgrade` message about this very change upon upgrade as well.
https://github.com/archlinux/svntogit-packages/commit/4144617d6ee4aa52d27f4b84c977a413f2e860fe#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a
I think (as you said) my issue is only due to side loading, however I did not find how to pack all the GRUB modules in the grubx64.efi binary.
Do you have some resources on how to do that ?
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux-lts
Found initrd image: /boot/initramfs-linux-lts.img
Found fallback initrd image(s) in /boot: initramfs-linux-lts-fallback.img
Found linux image: /boot/vmlinuz-linux
Found initrd image: /boot/initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
Found linux image: /boot/vmlinuz-linux-lts
Found initrd image: /boot/initramfs-linux-lts.img
Found fallback initrd image(s) in /boot: initramfs-linux-lts-fallback.img
Found linux image: /boot/vmlinuz-linux
Found initrd image: /boot/initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
Detecting snapshots ...
Info: Separate boot partition detected
No snapshots found.
If you think an error has occurred , please file a bug report at " https://github.com/Antynea/grub-btrfs "
Nothing to do. Abort.
done
--modules="all_video boot btrfs cat configfile cryptodisk echo efi_gop efi_uga efifwsetup efinet ext2 f2fs fat font gcry_rijndael gcry_rsa gcry_serpent gcry_sha256 gcry_twofish gcry_whirlpool gfxmenu gfxterm gzio halt hfsplus http iso9660 loadenv loopback linux lvm lsefi lsefimmap luks luks2 mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 pgp png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs zstd backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard"
You need also an sbat file: https://bugs.archlinux.org/task/72415