FS#71382 - [grub] 2.06 secure boot broken

Attached to Project: Arch Linux
Opened by Blake (0xblackhole) - Monday, 28 June 2021, 12:48 GMT
Last edited by Toolybird (Toolybird) - Sunday, 11 June 2023, 03:46 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Grub secure boot (configured with personal certificates) broke my boot sequence since last update to 2.06-1.
I was not able to boot my laptop after the last grub package upgrade.

Grub reports the following error message:
error: verification requested but nobody cares: (cryptouuid/$PARTITION_UUID)/grub/x86_64-efi/normal.mod

The issue has already been observed on another bug tracker, however the solution mentioned did not work for me (as I am not using shim), that is why I open a bug over here (as this issue might cause someone else boot to break as well).

Related issue:bug-grub@gnu.org/msg17008.html"> https://www.mail-archive.com/bug-grub@gnu.org/msg17008.html

Additional info:
* core/grub 2:2.06-1
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
Sorry I am unable to describe exactly how to reproduce the error as I configured my laptop several years ago.

My setup is the following. I enabled secure boot and also enrolled my own certificate.
Then the boot sequence is as such:
1. /boot/efi/EFI/grubx64.efi starts -> on a FAT partition there is only that binary, which is signed with my certificate (using sbsign)
2. This grub actually prompts me for a LUKS password to decrypt all the other boot related files (vmlinuz, grub modules ...)
3. All the rest of the boot partition is decrypted (LUKS) and GRUB uses those decrypted files to boot the OS.
4. Archlinux boots up

Assumption:
I think, since its last upgrade, grub somehow expects (by default) that its own modules are signed when secure boot is enabled.

Steps to fix the issue:
So far the only thing I found to fix the problem is to downgrade the grub package to version 2.04-9 and ignore grub update in pacman.conf
This task depends upon

Closed by  Toolybird (Toolybird)
Sunday, 11 June 2023, 03:46 GMT
Reason for closing:  None
Additional comments about closing:  This ticket is stale. And all is covered in the Wiki these days:
https://wiki.archlinux.org/title/Unified _Extensible_Firmware_Interface/Secure_Bo ot#shim_with_key_and_GRUB
Comment by Morten Linderud (Foxboron) - Monday, 28 June 2021, 14:03 GMT
This isn't a bug, this is expected behavior.

This is what you need to do:

* Disable shim verification
* Include all relevant modules in the EFI binary.

Side-loading has been disabled and gives you that error message you see. This has been poorly documented upstream and all distributions that do depend on secure boot + grub has just patched up this issue with a tons of scripts.

https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images?h=ubuntu#n87


There was also a `post_upgrade` message about this very change upon upgrade as well.

https://github.com/archlinux/svntogit-packages/commit/4144617d6ee4aa52d27f4b84c977a413f2e860fe#diff-3e341d2d9c67be01819b25b25d5e53ea3cdf3a38d28846cda85a195eb9b7203a
Comment by Blake (0xblackhole) - Friday, 09 July 2021, 10:59 GMT
I am not using shim so disabling it does not change anything.
I think (as you said) my issue is only due to side loading, however I did not find how to pack all the GRUB modules in the grubx64.efi binary.
Do you have some resources on how to do that ?
Comment by Morten Linderud (Foxboron) - Friday, 09 July 2021, 11:03 GMT
I linked it, you need to run `grub-mkimage` instead of relying on what `grub-install` does.
Comment by Luis C. (dedseq) - Saturday, 10 July 2021, 19:11 GMT
My problem is that it won't load the other kernels no matter if I run grub-mkconfig -o /boot/grub/grub.cfg, it will detect all kernels and add it to the file, but when I reboot, It just list Arch Linux and to reboot into the UEFI settings

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux-lts
Found initrd image: /boot/initramfs-linux-lts.img
Found fallback initrd image(s) in /boot: initramfs-linux-lts-fallback.img
Found linux image: /boot/vmlinuz-linux
Found initrd image: /boot/initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
Found linux image: /boot/vmlinuz-linux-lts
Found initrd image: /boot/initramfs-linux-lts.img
Found fallback initrd image(s) in /boot: initramfs-linux-lts-fallback.img
Found linux image: /boot/vmlinuz-linux
Found initrd image: /boot/initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
Detecting snapshots ...
Info: Separate boot partition detected
No snapshots found.
If you think an error has occurred , please file a bug report at " https://github.com/Antynea/grub-btrfs "
Nothing to do. Abort.
done
Comment by Morten Linderud (Foxboron) - Saturday, 10 July 2021, 19:14 GMT
You are using a custom setup and the issue is not relevant to this bug report. Please consult grub-btrfs.
Comment by Luis C. (dedseq) - Sunday, 11 July 2021, 12:19 GMT
Comment by Tobias Powalowski (tpowa) - Thursday, 14 October 2021, 05:12 GMT
Those are the modules to get it running:
--modules="all_video boot btrfs cat configfile cryptodisk echo efi_gop efi_uga efifwsetup efinet ext2 f2fs fat font gcry_rijndael gcry_rsa gcry_serpent gcry_sha256 gcry_twofish gcry_whirlpool gfxmenu gfxterm gzio halt hfsplus http iso9660 loadenv loopback linux lvm lsefi lsefimmap luks luks2 mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 pgp png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs zstd backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard"

You need also an sbat file: https://bugs.archlinux.org/task/72415

Loading...