Re: GRUB fails to trust built-in public key

[lolock]

Thank you so much for your quick and competent help.
Such an easy fix, it now works as expected.

Cheers,
lolock

On 27.03.22 17:53, Andrei Borzenkov wrote:
> On 27.03.2022 14:00, lolock wrote:
> > Hello everyone I am trying to set up Secure boot on my Gentoo 
> > machine. I use grub-mkstandalone to generate an image that is signed 
> > by a firmware key. I then expect GRUB to verify my kernel with its 
> > detached signature, using a public key I embedded with the --pubkey 
> > option. If and only if the signature matches, the system should boot. 
> > GRUB does successfully start and show the menu entries. If I select 
> > one, it fails with the error "error: public key b625168013908c5d not 
> > found." If I enter the GRUB shell, list_trusted returns nothing. The 
> > variable check_signatures is not automatically set to "enforce", 
> > despite the fact I used the --pubkey option. If I load the key 
> > manually with --skip-sig, I can successfully verify the kernel and 
> > boot the system in Secure boot mode with verify_detached. So, the 
> > problem is that GRUB does not add the key I provided with --pubkey to 
> > its trust store. However, the key is actually there in the EFI image, 
> > as I checked with a hexdump of the image and the key. 
> The key is added by pgp module init function. This function walks 
> modules embedded in grub image (public key is represented as a 
> "module" of specific type). These modules are only available during 
> image initialization; when it is completed, modules are discarded 
> (depending on platform, memory can be reused). To use public key 
> embedded in grub image you must also embed pgp module itself. May be 
> grub-mkimage should add pgp module automatically if --pubkey is given, 
> as otherwise it is useless.
> > The exact command: grub-mkstandalone --pubkey /boot/grub/grub.pub 
> > --verbose --directory /usr/lib/grub/x86_64-efi/ --format x86_64-efi 
> > --modules part_gpt fat ext2 configfile gcry_sha512 gcry_dsa 
> > gcry_sha256 gcry_rsa password_pbkdf2 echo normal linux linuxefi 
> > all_video search search_fs_uuid reboot sleep loadenv minicmd test 
> > echo font 
> pgp module is missing
> > --disable-shim-lock --output /boot/EFI/gentoo/grubx64.efi 
> > /boot/grub/grub.cfg=/etc/default/grub-initial.cfg 
> > /boot/grub/grub.cfg.sig=/etc/default/grub-initial.cfg.sig If I enable 
> > some debug flags, this is the output: grub> verify_detached 
> > /vmlinuz-5.15.26-gentoo-x86_64 
> pgp module is (auto-)loaded when you use one of commands it provides. 
> It did not add public key embedded into image because this public key 
> was already discarded at this point.
> > /vmlinuz-5.15.26-gentoo-x86_64.sig kern/verifiers.c:212: string: 
> > verify_detached /vmlinuz-5.15.26-gentoo-x86_64 
> > /vmlinuz-5.15.26-gentoo-x86_64.sig, type 2 commands/pgp.c:823: alive 
> > commands/pgp.c:828: alive kern/verifiers.c:88: file:  
> > /vmlinuz-5.15.26-gentoo-x86_64 type: 59 kern/verifiers.c:88: file:  
> > /vmlinuz-5.15.26-gentoo-x86_64.sig type: 131102 kern/verifiers.c:88: 
> > file: (memdisk)/boot/grub/x86_64-efi/gcry_sha1.mod type: 1 
> > commands/pgp.c:496: alive commands/pgp.c:593: alive 
> > commands/pgp.c:602: @ 34 commands/pgp.c:608: alive 
> > commands/pgp.c:611: alive commands/pgp.c:613: l = 0x0c00 
> > commands/pgp.c:616: alive commands/pgp.c:619: alive 
> > commands/pgp.c:621: alive commands/pgp.c:626: alive error: public key 
> > b625168013908c5d not found. 
> Correct.
> > I have posted this problem with some more detail on 
> > https://forums.gentoo.org/viewtopic-t-1147754-highlight-.html What Am 
> > I doing wrong? 
> If you embed public key and want it to be actually used you also need 
> to embed pgp module.
> > Any help is greatly appreciated, thanks in advance. Greetings, lolock