GRUB fails to trust built-in public key

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GRUB fails to trust built-in public key

From:	lolock
Subject:	GRUB fails to trust built-in public key
Date:	Sun, 27 Mar 2022 13:00:36 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0

Hello everyone

I am trying to set up Secure boot on my Gentoo machine. I usegrub-mkstandalone to generate an image that is signed by a firmware key.I then expect GRUB to verify my kernel with its detached signature,using a public key I embedded with the --pubkey option. If and only ifthe signature matches, the system should boot.

GRUB does successfully start and show the menu entries. If I select one,it fails with the error "error: public key b625168013908c5d not found."If I enter the GRUB shell, list_trusted returns nothing. The variablecheck_signatures is not automatically set to "enforce", despite the factI used the --pubkey option. If I load the key manually with --skip-sig,I can successfully verify the kernel and boot the system in Secure bootmode with verify_detached.

So, the problem is that GRUB does not add the key I provided with--pubkey to its trust store. However, the key is actually there in theEFI image, as I checked with a hexdump of the image and the key.


The exact command:

grub-mkstandalone --pubkey /boot/grub/grub.pub --verbose --directory/usr/lib/grub/x86_64-efi/ --format x86_64-efi --modules part_gpt fatext2 configfile gcry_sha512 gcry_dsa gcry_sha256 gcry_rsapassword_pbkdf2 echo normal linux linuxefi all_video searchsearch_fs_uuid reboot sleep loadenv minicmd test echo font--disable-shim-lock --output /boot/EFI/gentoo/grubx64.efi/boot/grub/grub.cfg=/etc/default/grub-initial.cfg/boot/grub/grub.cfg.sig=/etc/default/grub-initial.cfg.sig


If I enable some debug flags, this is the output:

grub> verify_detached /vmlinuz-5.15.26-gentoo-x86_64/vmlinuz-5.15.26-gentoo-x86_64.sigkern/verifiers.c:212: string: verify_detached/vmlinuz-5.15.26-gentoo-x86_64 /vmlinuz-5.15.26-gentoo-x86_64.sig, type 2

commands/pgp.c:823: alive
commands/pgp.c:828: alive
kern/verifiers.c:88: file:  /vmlinuz-5.15.26-gentoo-x86_64  type: 59
kern/verifiers.c:88: file:  /vmlinuz-5.15.26-gentoo-x86_64.sig type: 131102

kern/verifiers.c:88: file: (memdisk)/boot/grub/x86_64-efi/gcry_sha1.modtype: 1

commands/pgp.c:496: alive
commands/pgp.c:593: alive
commands/pgp.c:602: @ 34
commands/pgp.c:608: alive
commands/pgp.c:611: alive
commands/pgp.c:613: l = 0x0c00
commands/pgp.c:616: alive
commands/pgp.c:619: alive
commands/pgp.c:621: alive
commands/pgp.c:626: alive
error: public key b625168013908c5d not found.

I have posted this problem with some more detail onhttps://forums.gentoo.org/viewtopic-t-1147754-highlight-.html


What Am I doing wrong?

Any help is greatly appreciated, thanks in advance.

Greetings,

lolock

[Prev in Thread]

Current Thread

[Next in Thread]

GRUB fails to trust built-in public key, lolock <=
- Re: GRUB fails to trust built-in public key, Andrei Borzenkov, 2022/03/27
  - Re: GRUB fails to trust built-in public key, lolock, 2022/03/27

Prev by Date: Re: grub-mkimage
Next by Date: Re: GRUB fails to trust built-in public key
Previous by thread: azerty, fr or fr-pc keyboard layout with grub 2.06
Next by thread: Re: GRUB fails to trust built-in public key
Index(es):
- Date
- Thread