[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: error: verification requested but nobody cares: (hd1, gpt1)/grub/x86
|
From: |
Andrei Borzenkov |
|
Subject: |
Re: error: verification requested but nobody cares: (hd1, gpt1)/grub/x86_64-efi/normal.mod. |
|
Date: |
Mon, 16 Dec 2024 13:11:08 +0300 |
On Mon, Dec 16, 2024 at 12:26 PM Frank von Zeppelin
<fvzeppelin@posteo.de> wrote:
>
> Thanks, again.
>
> I tried with grub-mkstandalone, but it gave me a "shim protocol not
> available" or similar error. As I don't know much about secure boot, I'm
> pretty lost, here.
>
Becoming curious, I looked at Arch wiki. It says
To make use of CA Keys the command is ... --disable-shim-lock
It never explains what "use of CA keys" means on this page. It
probably means enrolling your own SB certificates instead of using the
default Microsoft one. While you do not need shim in this case,
everything else still holds - grub disables external modules loading
as long as Secure Boot is enabled.
... digging further ... OK, so apparently this setup cheats. When
running with Secure Boot enabled grub requires that /something/
verified files, in particular grub modules. The command from Arch wiki
also adds the tpm module which adds "verifier" ... which does not
really verify anything. It just measures files into TPM PCR. Unless
something is actually using these measurements, it allows grub to load
any untrusted module.
The only reason for TPM "verifier" to fail is problems communicating
with TPM. And this error implies that grub failed to find TPM at all.
Check your system whether TPM is still available and active.
> There must have been a breaking change, as the way with
> --disable-shim-lock worked on a couple of machines of mine without ever
> having any trouble. I will let the Arch guys know. But I am a bit
> concerned, as on another machine of mine, I need grub and secure boot.
> For the moment, it is working...
>
> As for my laptop, I simply switched to systemd-boot for now, which works
> without complaints.
>
> On 16.12.24 8:04 AM, Andrei Borzenkov wrote:
> > On Mon, Dec 16, 2024 at 8:57 AM Frank von Zeppelin <fvzeppelin@posteo.de>
> > wrote:
> >> Thank you for your reply.
> >> After my laptop did not recover from sleep, I did a power off and that's
> >> it. Then, the error message came, and I disabled secure boot. But this is
> >> not a permanent solution for me.
> >>
> >> P.S. As they say in the Arch wiki, I had originally used
> >> grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB
> >> --modules="tpm" --disable-shim-lock
> > That cannot work with Secure Boot (at least, using upstream grub
> > code). If it ever did, then Arch must be using a heavily modified
> > version. In which case you better contact Arch support channels.
> >
> > When Secure Boot is enabled, grub enforces verification of everything
> > it reads while --disable-shim-lock disables the code that performs the
> > verification.
> >
> > But your error is different. grub does not support Secure Boot
> > signatures for its modules and so cannot verify them. All
> > distributions I am aware of use the pre-built signed grub image with
> > module loading disabled. In Secure Boot mode grub will only allow
> > loading of modules from the internal memory disk (e.g.
> > grub-standalone), not from an external source.
> >
> > Again, I do not know how Arch manages it, you better contact them.
> >
> >> In the meantime, I re-applied the command hoping it would solve my
> >> problem, but it didn't.
> >>
> >> 16.12.2024 05:23:26 Andrei Borzenkov <arvidjaar@gmail.com>:
> >>
> >>> 16.12.2024 01:01, Frank von Zeppelin wrote:
> >>>> Hi,
> >>>> I have Arch Linux running on my laptop. I had secure but active for a
> >>>> long time already, set up with sbctl. Everything worked fine. Then,
> >>>> since the laptop didn't resume from sleep for once, Secure Boot didn't
> >>>> work anymore. Grub is giving the error:
> >>>> error: verification requested but nobody cares:
> >>>> (hd1,gpt1)/grub/x86_64-efi/normal.mod.
> >>>> Can anybody give me a hint on how to repair/debug this? I actually don't
> >>>> have any clue how to approach this.
> >>>>
> >>> Immediate fix is to disable Secure Boot. You did not explain what you did
> >>> when "laptop didn't resume from sleep", but it sounds like you run
> >>> "grub-install" which usually does not work together with Secure Boot.
- error: verification requested but nobody cares: (hd1,gpt1)/grub/x86_64-efi/normal.mod., Frank von Zeppelin, 2024/12/15
- Re: error: verification requested but nobody cares: (hd1,gpt1)/grub/x86_64-efi/normal.mod., Andrei Borzenkov, 2024/12/15
- Re: error: verification requested but nobody cares: (hd1,gpt1)/grub/x86_64-efi/normal.mod., Frank von Zeppelin, 2024/12/16
- Re: error: verification requested but nobody cares: (hd1, gpt1)/grub/x86_64-efi/normal.mod., Andrei Borzenkov, 2024/12/16
- Re: error: verification requested but nobody cares: (hd1,gpt1)/grub/x86_64-efi/normal.mod., Frank von Zeppelin, 2024/12/16
- Re: error: verification requested but nobody cares: (hd1, gpt1)/grub/x86_64-efi/normal.mod.,
Andrei Borzenkov <=
- Re: error: verification requested but nobody cares: (hd1,gpt1)/grub/x86_64-efi/normal.mod., Frank von Zeppelin, 2024/12/16