Re: x86_64: grub-install for secure boot

[Pascal Hambourg]

On 29/07/2023 at 06:56, Zvi Vered wrote:
> When  I tried to sign my kernel with mokutil under knoppix (secure
> boot = enabled)
> I got the "EFI variables are not supported on this system" again.
>
> modprobe efivarfs
> mount -t efivarfs efivarfs /sys/firmware/efi/efivars
>
> After those 2 steps, mokutil worked.
> Unfortunately, I'm not an expert. Can't tell if this is the right
> solution or not.

It is, but I do not understand why sometimes efivarfs is automatically 
mounted and sometimes not. Do you do anything differently ?

> According to a few links I found, the cause of the problem is that
> knoppix is booting from a USB stick.

I do not see how this alone would make any difference, all other things 
being equal (same boot mode, system...).

On 29/07/2023 at 07:42, Andrei Borzenkov wrote:
> On 28.07.2023 22:04, Pascal Hambourg wrote:
> > > You wrote: "Most likely the system was booted in legacy BIOS mode"
> >
> > I don't think so. grub-install would have selected the i386-pc target
> > instead of x86_64-efi.
>
> --uefi-secure-boot option may implicitly set UEFI target. This option 
> does not exist in upstream grub (and this is mailing list for upstream 
> grub) so I have no idea what it does exactly nor why this question was 
> not asked on distribution support channel.

AFAICS, --uefi-secure-boot alone is basically a no-op, as it is the 
default, and it does not set a UEFI target when booted in BIOS mode.
How would the average user know whether an option is from upstream or 
the distribution ?