Re: x86_64: grub-install for secure boot

[Zvi Vered]

Hi Andrei,

Knoppix sees the sata HD where I installed grub as /dev/sdb
In this HD I created /dev/sdb1 in which I installed grub.
In the PC boot menu, it's marked "debian".
I selected this entry in the boot menu but managed to boot only when
secure boot was disabled.

Thank you,
Zvika

On Fri, Jul 28, 2023 at 6:29 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
>
> On 28.07.2023 16:14, Zvi Vered wrote:
> > Hi Pascal,
> >
> > As you suggested I changed the shim to x64.
> > The output of: apt list --installed | grep shim is now:
> >
> > ----------------------------------------------------------------------------------------------------------------------------------------
> > shim-helpers-amd64-signed/stable,testing,unstable,now 1+15.7+1 amd64
> > [installed,automatic]
> > shim-signed-common/stable,stable,testing,testing,unstable,unstable,now
> > 1.39+15.7-1 all [installed,automatic]
> > shim-signed/stable,testing,unstable,now 1.39+15.7-1 amd64 [installed]
> > shim-unsigned/stable,testing,unstable,now 15.7-1 amd64 [installed,automatic]
> > ----------------------------------------------------------------------------------------------------------------------------------------
> >
> > Then I ran:
> >
> > mkfs.fat -F32 /dev/sdb1
> > mount -t vfat /dev/sdb1 /media/sdb1
> > grub-install --boot-directory=/media/sdb1/boot
> > --efi-directory=/media/sdb1 --uefi-secure-boot --debug
> >
> > Attached the output of grub-install. I do not see any errors.
> > The last lines are:
> > ----------------------------------------------------------------------------------------------------------------------------------------
> > grub-install: info: adding 211 padding fixup entries.
> > grub-install: info: writing 744 bytes of a fixup block starting at 0x10000.
> > grub-install: info: reading /usr/lib/grub/x86_64-efi/fshelp.mod.
> > grub-install: info: reading /usr/lib/grub/x86_64-efi/fat.mod.
> > grub-install: info: reading /usr/lib/grub/x86_64-efi/part_msdos.mod.
> > grub-install: info: reading /usr/lib/grub/x86_64-efi/search_fs_uuid.mod.
> > grub-install: info: reading /media/sdb1/boot/grub/x86_64-efi/load.cfg.
> > grub-install: info: kernel_img=0x56913990, kernel_size=0x1c000.
> > grub-install: info: the core size is 0x21198.
> > grub-install: info: writing 0x24000 bytes.
> > grub-install: info: copying `/usr/lib/shim/shimx64.efi.signed' ->
> > `/media/sdb1/EFI/debian/shimx64.efi'.
> > grub-install: info: copying
> > `/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed' ->
> > `/media/sdb1/EFI/debian/grubx64.efi'.
> > grub-install: info: copying `/usr/lib/shim/mmx64.efi.signed' ->
> > `/media/sdb1/EFI/debian/mmx64.efi'.
> > grub-install: info: copying `/usr/lib/shim/fbx64.efi.signed' ->
> > `/media/sdb1/EFI/debian/fbx64.efi'.
> > grub-install: info: copying `/usr/lib/shim/BOOTX64.CSV' ->
> > `/media/sdb1/EFI/debian/BOOTX64.CSV'.
> > grub-install: info: copying
> > `/media/sdb1/boot/grub/x86_64-efi/load.cfg' ->
> > `/media/sdb1/EFI/debian/grub.cfg'.
> > grub-install: info: Registering with EFI: distributor = `debian', path
> > = `\EFI\debian\shimx64.efi', ESP at hostdisk//dev/sdb,msdos1.
> > grub-install: info: executing modprobe efivars 2>/dev/null.
> > grub-install: warning: EFI variables are not supported on this system..
> > Installation finished. No error reported.
> > -------------------------------------------------------------------------------------------------------------------------------------------------------
> > In the attached file I noticed info messages like:
> > grub-install: info: cannot open
> > `/usr/share/locale/be/LC_MESSAGES/grub.mo': No such file or directory.
> >
> > But I still get the red message after booting from /dev/sdb
>
> There is no such thing as "booting from /dev/sdb" in EFI. EFI loads
> programs according to BootXXXX and BootOrder variables. Implementations
> may offer "boot from disk" option meaning "load \EFI\Boot\bootx64.efi",
> but that is implementation defined.
>
> You need to explain what "boot from /dev/sdb" actually means and does.
>
> > Is there a way to know what files are not properly signed ?
> > Should I also sign grub.cfg and maybe other files ?
> >
> > Highly appreciate your help,
> > Zvika
> >
> >
> >
> > On Fri, Jul 28, 2023 at 9:52 AM Pascal Hambourg <pascal@plouf.fr.eu.org> 
> > wrote:
> >>
> >> On 28/07/2023 at 00:54, Zvi Vered wrote:
> >>>
> >>> apt list --installed | grep shim
> >>> is:
> >>> shim-helpers-i386-signed/stable,testing,unstable,now 1+15.7+1 i386
> >>> [installed,automatic]
> >>> shim-signed-common/stable,stable,testing,testing,unstable,unstable,now
> >>> 1.39+15.7-1 all [installed,automatic]
> >>> shim-signed/stable,testing,unstable,now 1.39+15.7-1 i386 [installed]
> >>> shim-unsigned/stable,testing,unstable,now 15.7-1 i386 
> >>> [installed,automatic]
> >>
> >> You need shim packages for amd64, not i386.
> >>
> >>> The contents of /media/sdb1/EFI is:
> >>> /media/sdb1/EFI
> >>>                         |------debian
> >>>                                     |-------grubx64.efi
> >>>                                     |-------grub.cfg
> >>
>
>