Re: x86_64: grub-install for secure boot

[Zvi Vered]

Hi Pascal,

As you suggested I changed the shim to x64.
The output of: apt list --installed | grep shim is now:

----------------------------------------------------------------------------------------------------------------------------------------
shim-helpers-amd64-signed/stable,testing,unstable,now 1+15.7+1 amd64
[installed,automatic]
shim-signed-common/stable,stable,testing,testing,unstable,unstable,now
1.39+15.7-1 all [installed,automatic]
shim-signed/stable,testing,unstable,now 1.39+15.7-1 amd64 [installed]
shim-unsigned/stable,testing,unstable,now 15.7-1 amd64 [installed,automatic]
----------------------------------------------------------------------------------------------------------------------------------------

Then I ran:

mkfs.fat -F32 /dev/sdb1
mount -t vfat /dev/sdb1 /media/sdb1
grub-install --boot-directory=/media/sdb1/boot
--efi-directory=/media/sdb1 --uefi-secure-boot --debug

Attached the output of grub-install. I do not see any errors.
The last lines are:
----------------------------------------------------------------------------------------------------------------------------------------
grub-install: info: adding 211 padding fixup entries.
grub-install: info: writing 744 bytes of a fixup block starting at 0x10000.
grub-install: info: reading /usr/lib/grub/x86_64-efi/fshelp.mod.
grub-install: info: reading /usr/lib/grub/x86_64-efi/fat.mod.
grub-install: info: reading /usr/lib/grub/x86_64-efi/part_msdos.mod.
grub-install: info: reading /usr/lib/grub/x86_64-efi/search_fs_uuid.mod.
grub-install: info: reading /media/sdb1/boot/grub/x86_64-efi/load.cfg.
grub-install: info: kernel_img=0x56913990, kernel_size=0x1c000.
grub-install: info: the core size is 0x21198.
grub-install: info: writing 0x24000 bytes.
grub-install: info: copying `/usr/lib/shim/shimx64.efi.signed' ->
`/media/sdb1/EFI/debian/shimx64.efi'.
grub-install: info: copying
`/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed' ->
`/media/sdb1/EFI/debian/grubx64.efi'.
grub-install: info: copying `/usr/lib/shim/mmx64.efi.signed' ->
`/media/sdb1/EFI/debian/mmx64.efi'.
grub-install: info: copying `/usr/lib/shim/fbx64.efi.signed' ->
`/media/sdb1/EFI/debian/fbx64.efi'.
grub-install: info: copying `/usr/lib/shim/BOOTX64.CSV' ->
`/media/sdb1/EFI/debian/BOOTX64.CSV'.
grub-install: info: copying
`/media/sdb1/boot/grub/x86_64-efi/load.cfg' ->
`/media/sdb1/EFI/debian/grub.cfg'.
grub-install: info: Registering with EFI: distributor = `debian', path
= `\EFI\debian\shimx64.efi', ESP at hostdisk//dev/sdb,msdos1.
grub-install: info: executing modprobe efivars 2>/dev/null.
grub-install: warning: EFI variables are not supported on this system..
Installation finished. No error reported.
-------------------------------------------------------------------------------------------------------------------------------------------------------
In the attached file I noticed info messages like:
grub-install: info: cannot open
`/usr/share/locale/be/LC_MESSAGES/grub.mo': No such file or directory.

But I still get the red message after booting from /dev/sdb
Is there a way to know what files are not properly signed ?
Should I also sign grub.cfg and maybe other files ?

Highly appreciate your help,
Zvika



On Fri, Jul 28, 2023 at 9:52 AM Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>
> On 28/07/2023 at 00:54, Zvi Vered wrote:
> >
> > apt list --installed | grep shim
> > is:
> > shim-helpers-i386-signed/stable,testing,unstable,now 1+15.7+1 i386
> > [installed,automatic]
> > shim-signed-common/stable,stable,testing,testing,unstable,unstable,now
> > 1.39+15.7-1 all [installed,automatic]
> > shim-signed/stable,testing,unstable,now 1.39+15.7-1 i386 [installed]
> > shim-unsigned/stable,testing,unstable,now 15.7-1 i386 [installed,automatic]
>
> You need shim packages for amd64, not i386.
>
> > The contents of /media/sdb1/EFI is:
> > /media/sdb1/EFI
> >                        |------debian
> >                                    |-------grubx64.efi
> >                                    |-------grub.cfg
>

grub.log
Description: Binary data