FS#76520 - [systemd] 252.1-1: Access denied when using Secure Boot
Attached to Project:
Arch Linux
Opened by Alexander E. Patrakov (patrakov) - Friday, 11 November 2022, 06:24 GMT
Last edited by Christian Hesse (eworm) - Monday, 21 November 2022, 11:24 GMT
Opened by Alexander E. Patrakov (patrakov) - Friday, 11 November 2022, 06:24 GMT
Last edited by Christian Hesse (eworm) - Monday, 21 November 2022, 11:24 GMT
|
Details
I use Secure Boot with custom keys, as set up through sbctl.
The main boot manager is systemd-boot, and each kernel +
initramfs + cmdline is wrapped into the unified kernel
image.
$ cat /etc/mkinitcpio.d/linux-zen.preset # mkinitcpio preset file for the 'linux-zen' package ALL_config="/etc/mkinitcpio.conf" ALL_kver="/boot/vmlinuz-linux-zen" ALL_microcode=(/boot/*-ucode.img) PRESETS=('default') #default_config="/etc/mkinitcpio.conf" default_image="/boot/initramfs-linux-zen.img" default_efi_image="/efi/EFI/ArchLinux/archlinux-linux-zen.efi" Yesterday systemd got upgraded to 252.1-1, so the unified kernel image got regenerated (and signed correctly by sbctl). After that, my system didn't boot, says "Access denied" in red letters after selecting the correct boot option from the boot menu provided by systemd-boot. Another copy of Arch Linux, that has not yet been upgraded, boots fine. Without Secure Boot, the system in question boots, too. Downgrading all systemd packages to 251.7-4 fixes the issue, upgrading again to 252.1-1 reintroduces it. |
This task depends upon
Closed by Christian Hesse (eworm)
Monday, 21 November 2022, 11:24 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 252.1-2
Monday, 21 November 2022, 11:24 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 252.1-2
Failed to reconnect handle 453, ignoring: Invalid Parameter
The boot menu is shown correctly after that. There was no such error in 251.7-4.
Upon selecting Arch Linux, there are two errors displayed:
Error loading kernel image: Access Denied
and
Failed to execute Arch Linux (home) (\EFI\ArchLinux\archlinux-linux-zen.efi): Access Denied
Operating System: Arch Linux
KDE Plasma Version: 5.26.3
KDE Frameworks Version: 5.99.0
Qt Version: 5.15.7
Kernel Version: 6.0.8-arch1-1 (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-4790K CPU @ 4.00GHz
Memory: 15.6 GiB of RAM
Graphics Processor: NVIDIA GeForce GTX 980/PCIe/SSE2
Manufacturer: ASUS
Firmware: UEFI 2.31 (American Megatrends 4.655)
On the second computer also with an newer Asus motherboard and newer firmware (UEFI 2.50 American Megatrends 5.12) after updating to systemd 251.1-1, the system starts, but there is an error "Failed to reconnect handle 352. ignoring : Security Policy Violation".
In both cases, I use the "sbupdate-git" script to sign the image. So far everything worked fine.
/etc/sbupdate.conf:
BACKUP=0
EXTRA_SIGN=('/boot/EFI/BOOT/BOOTX64.EFI' '/boot/EFI/systemd/systemd-bootx64.efi')
CMDLINE_DEFAULT="root=PARTUUID=my_part_uuid rw mitigations=off tsx=on lsm=lockdown,yama,apparmor,bpf quiet"
CONFIGS["linux"]="linux linux-fallback"