[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cant chainload UKI Image with enabled Secureboot
From: |
rodolfosilva2 |
Subject: |
Cant chainload UKI Image with enabled Secureboot |
Date: |
Thu, 18 Jan 2024 07:53:01 +0100 (CET) |
Hello,
>
> my setup is as follows:
> Thinkpad T540 machine with no TPM.
>
> ESP as FAT32 /efi
> LUKS2 encrypted bootpartition /boot
> LUKS2 encrypted root /
>
> Unified Kernel Images generated and located in root of /boot
>
> I deployed the SecureBoot keys with sbctl.
> The grubx64.efi gets verified and loaded by Firmware successfully.
> It contains embedded PGP key used to sign all the files loaded after
> unlocking the LUKS2 boot.
>
> My grub-install command:
> grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot
> --efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa
> gcry_rsa crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2 gcry_rijndael
> gcry_sha256 ext2" --pubkey=/boot/gpg/grub.pub
>
>
> My boot.cfg:
>
> insmod part_gpt
> insmod part_msdos
> insmod all_video
> insmod fat
> insmod chain
>
> set default="0"
>
> # More readable font on high dpi screen, generated with
> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2 --size=24
> /usr/share/fonts/TTF/DejaVuSansMono.ttf
>
> #for non hiDPI Screen
> #font=unicode
> font=DejaVuSansMono24
>
> if loadfont $font ; then
> set gfxmode=auto
> insmod gfxterm
> set locale_dir=$prefix/locale
> set lang=en_US
> insmod gettext
> fi
> terminal_input console
> terminal_output gfxterm
> set timeout_style=menu
> set timeout=3
>
> if [ "$grub_platform" = "efi" ]; then
> insmod bli
> fi
>
> ## set Theme
> insmod png
> insmod gfxmenu
> loadfont $prefix/themes/default/terminus-12.pf2
> loadfont $prefix/themes/default/terminus-14.pf2
> loadfont $prefix/themes/default/terminus-16.pf2
> loadfont $prefix/themes/default/terminus-18.pf2
> loadfont $prefix/themes/default/ubuntu_regular_17.pf2
> loadfont $prefix/themes/default/ubuntu_regular_20.pf2
> set theme=$prefix/themes/default/theme-hidpi.txt
> export theme
>
> #we need to set root to some partition which is not encrypted, otherwise the
> UKI's > embedded > EFI Stub complains and fails load
> function setESP {
> root=""
> search --file --no-floppy --hint hd0,gpt1 --set=root
> /EFI/GRUB/grubx64.efi
> if [ -z "$root" ]; then
> root=(hd0,gpt1)
> fi
> }
>
> menuentry "Arch Linux UKI Image" {
> setESP
> #echo 'Loading Linux Unified Kernel Image from boot'
> chainloader (crypto0)/arch-linux-uki.efi
> }
>
> menuentry "Arch Linux Fallback UKI Image" {
> setESP
> #echo 'Loading Linux Fallback Unified Kernel Image from boot'
> chainloader (crypto0)/arch-linux-uki-fallback.efi
> }
> All files are PGP signed and the corresponding .sig files are in place.
> Booting without SecureBoot works smoothless.
>
> The machine does not has a TPM, therefore i omitted the tpm module for
> grub-install.
> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and /boot
> gets unlocked an accesible via (crypto0)
> Theme, fonts, and additional modules get loaded and verified via PGP.
> Only the UKI images fail to load
> I tried:
> to EFI Sign the UKI files with sbctl
> to PGP Sign the UKI files
> to EFI and after that PGP sign the UKI files
> in all these three constellations i receive
> error: cannot load image.
>
> When i dont put the sig files for the images i receive a more understandable:
> error: bad signature.
> So it seems grub checks signature and validates, but then later it hangs up
> on smth?
> Any idea why i cant load the images?
>
> I also tried to load a conventional initrd and linux kernel, also not
> possible.
> Any possibility to debug what exactly grub is trying to load and where the
> verification process/loading process halts?
>
> As the Firmware start grub just fine, this seems a problem of grubs
> loading/verification for me.
> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot enabled.
>
> Looking for any advise
>
> Rodolfo
>
> --
> Sent with Tuta; enjoy secure & ad-free emails:
> https://tuta.com
>
- Cant chainload UKI Image with enabled Secureboot,
rodolfosilva2 <=