Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#79888 - [grub] grubx64.efi binary signed with gives security violation error when launched with shimx64.efi.
Attached to Project:
Arch Linux
Opened by Lokawn (lokawn) - Sunday, 08 October 2023, 07:09 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 08 October 2023, 15:43 GMT
Opened by Lokawn (lokawn) - Sunday, 08 October 2023, 07:09 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 08 October 2023, 15:43 GMT
|
DetailsDescription: Grub binaries created using the example sbat.csv provided don't boot with either fedora's or ubuntu's or debian's shimx64.efi, and give `Verification failed: (0x1A) Security Violation` error. I tied this with the latest grub available in arch repos and https://archive.archlinux.org/packages/g/grub/grub-2%3A2.06-5-x86_64.pkg.tar.zst but there was same error.
I was able to launch the grubx64.efi by changing "grub,1,Free Software Foundation,grub,2:2.12rc1-4,https//www.gnu.org/software/grub/" to "grub,2,Free Software Foundation,grub,2:2.12rc1-4,https//www.gnu.org/software/grub/" in the example grub as described here: https://www.suse.com/support/kb/doc/?id=000021080. Additional info: * Grub version: 2:2.12rc1-4 Steps to reproduce: - Install grub - download signed shim binary from debian's servers, and copy to /efi/EFI/boot as BOOTx64.EFI - build grubx64.efi efi binary using example sbat.csv provided with package using grub-image -O "x86_64-efi" -o "grubx64.efi" -d /usr/lib/grub/x86_64-efi -p "/EFI/boot" --sbat /usr/share/grub/sbat.csv all_video boot btrfs cat chain \ configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus loadenv loopback \ linux ls lsefi lsefimmap lsefisystab lssal memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 png probe reboot regexp search \ search_fs_uuid search_fs_file search_label serial sleep smbios squash4 test tpm true video xfs zfs zfscrypt zfsinfo cpuid play cryptodisk gcry_arcfour \ gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed \ gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool luks luks2 lvm mdraid09 mdraid1x raid5rec raid6rec - sign grubx64.efi with MOK sbsign --cert /etc/default/SB-keys/MOK.crt --key /etc/default/SB-keys/MOK.key --output grubx64.efi grubx64.efi - copy grubx64.efi to /efi/EFI/boot |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Sunday, 08 October 2023, 15:43 GMT
Reason for closing: Fixed
Additional comments about closing: grub-2.12rc1-5
Sunday, 08 October 2023, 15:43 GMT
Reason for closing: Fixed
Additional comments about closing: grub-2.12rc1-5
Comment by Tobias Powalowski (tpowa) -
Sunday, 08 October 2023, 12:44 GMT
I try later but I am pretty sure it works. You need a standalone grub else it will never work.
Comment by Tobias Powalowski (tpowa) -
Sunday, 08 October 2023, 15:09 GMT
Ok, after reading the docs you are right the version needs to increase. Looking at fedora I will higher the level to 3.