Cant chainload UKI Image with enabled Secureboot

[rodolfosilva2]

Hello,

>
> my setup is as follows:
> Thinkpad T540 machine with no TPM.
>
> ESP as FAT32 /efi
> LUKS2 encrypted bootpartition  /boot
> LUKS2 encrypted root /
>
> Unified Kernel Images generated and located in root of /boot
>
> I deployed the SecureBoot keys with sbctl.
> The grubx64.efi gets verified and loaded by Firmware successfully.
> It contains embedded PGP key used to sign all the files loaded after 
> unlocking the LUKS2 boot.
>
> My grub-install command:
> grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot 
> --efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa 
> gcry_rsa crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2 gcry_rijndael 
> gcry_sha256 ext2" --pubkey=/boot/gpg/grub.pub
>
>
> My boot.cfg:
>
> insmod part_gpt 
> insmod part_msdos 
> insmod all_video 
> insmod fat 
> insmod chain 
>  
> set default="0" 
>  
> # More readable font on high dpi screen, generated with 
> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2   --size=24 
> /usr/share/fonts/TTF/DejaVuSansMono.ttf 
>  
> #for non hiDPI Screen 
> #font=unicode 
> font=DejaVuSansMono24 
>  
> if loadfont $font ; then 
>   set gfxmode=auto 
>   insmod gfxterm 
>   set locale_dir=$prefix/locale 
>   set lang=en_US 
>   insmod gettext 
> fi 
> terminal_input console 
> terminal_output gfxterm 
> set timeout_style=menu 
> set timeout=3 
>  
> if [ "$grub_platform" = "efi" ]; then 
>   insmod bli 
> fi 
>  
> ## set Theme 
> insmod png 
> insmod gfxmenu 
> loadfont $prefix/themes/default/terminus-12.pf2 
> loadfont $prefix/themes/default/terminus-14.pf2 
> loadfont $prefix/themes/default/terminus-16.pf2 
> loadfont $prefix/themes/default/terminus-18.pf2 
> loadfont $prefix/themes/default/ubuntu_regular_17.pf2 
> loadfont $prefix/themes/default/ubuntu_regular_20.pf2 
> set theme=$prefix/themes/default/theme-hidpi.txt 
> export theme 
>  
> #we need to set root to some partition which is not encrypted, otherwise the  
>  UKI's > embedded > EFI Stub complains and fails load 
> function setESP { 
>         root=""
>         search --file --no-floppy --hint hd0,gpt1 --set=root 
> /EFI/GRUB/grubx64.efi 
>         if [ -z "$root" ]; then 
>                 root=(hd0,gpt1)
>         fi 
> } 
>  
> menuentry "Arch Linux UKI Image" { 
>         setESP 
>         #echo 'Loading Linux Unified Kernel Image from boot' 
>         chainloader (crypto0)/arch-linux-uki.efi 
> } 
>  
> menuentry "Arch Linux Fallback UKI Image" { 
>         setESP 
>         #echo 'Loading Linux Fallback Unified Kernel Image from boot' 
>         chainloader (crypto0)/arch-linux-uki-fallback.efi 
> }
> All files are PGP signed and the corresponding .sig files are in place.
> Booting without SecureBoot works smoothless.
>
> The machine does not has a TPM, therefore i omitted the tpm module for 
> grub-install.
> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and /boot 
> gets unlocked an accesible via (crypto0)
> Theme, fonts, and additional modules get loaded and verified via PGP.
> Only the UKI images fail to load
> I tried:
> to EFI Sign the UKI files with sbctl
> to PGP Sign the UKI files
> to EFI and after that PGP sign the UKI files
> in all these three constellations i receive
> error: cannot load image.
>
> When i dont put the sig files for the images i receive a more understandable:
> error: bad signature.
> So it seems grub checks signature and validates, but then later it hangs up 
> on smth?
> Any idea why i cant load the images?
>
> I also tried to load a conventional initrd and linux kernel, also not 
> possible.
> Any possibility to debug what exactly grub is trying to load and where the 
> verification process/loading process halts?
>
> As the Firmware start grub just fine, this seems a problem of grubs 
> loading/verification for me.
> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot enabled.
>
> Looking for any advise
>
> Rodolfo
>
> --
> Sent with Tuta; enjoy secure & ad-free emails:
> https://tuta.com
>