Hello,
my setup is as follows:
Thinkpad T540 machine with no TPM.
ESP as FAT32 /efi
LUKS2 encrypted bootpartition /boot
LUKS2 encrypted root /
Unified Kernel Images generated and located in root of /boot
I deployed the SecureBoot keys with sbctl.
The grubx64.efi gets verified and loaded by Firmware successfully.
It contains embedded PGP key used to sign all the files loaded after unlocking
the LUKS2 boot.
My grub-install command:
grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot
--efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa gcry_rsa
crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2 gcry_rijndael gcry_sha256
ext2" --pubkey=/boot/gpg/grub.pub
My boot.cfg:
insmod part_gpt
insmod part_msdos
insmod all_video
insmod fat
insmod chain
set default="0"
# More readable font on high dpi screen, generated with
# sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2 --size=24
/usr/share/fonts/TTF/DejaVuSansMono.ttf
#for non hiDPI Screen
#font=unicode
font=DejaVuSansMono24
if loadfont $font ; then
set gfxmode=auto
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_input console
terminal_output gfxterm
set timeout_style=menu
set timeout=3
if [ "$grub_platform" = "efi" ]; then
insmod bli
fi
## set Theme
insmod png
insmod gfxmenu
loadfont $prefix/themes/default/terminus-12.pf2
loadfont $prefix/themes/default/terminus-14.pf2
loadfont $prefix/themes/default/terminus-16.pf2
loadfont $prefix/themes/default/terminus-18.pf2
loadfont $prefix/themes/default/ubuntu_regular_17.pf2
loadfont $prefix/themes/default/ubuntu_regular_20.pf2
set theme=$prefix/themes/default/theme-hidpi.txt
export theme
#we need to set root to some partition which is not encrypted, otherwise the UKI's embedded EFI Stub complains and fails load
function setESP {
root=""
search --file --no-floppy --hint hd0,gpt1 --set=root
/EFI/GRUB/grubx64.efi
if [ -z "$root" ]; then
root=(hd0,gpt1)
fi
}
menuentry "Arch Linux UKI Image" {
setESP
#echo 'Loading Linux Unified Kernel Image from boot'
chainloader (crypto0)/arch-linux-uki.efi
}
menuentry "Arch Linux Fallback UKI Image" {
setESP
#echo 'Loading Linux Fallback Unified Kernel Image from boot'
chainloader (crypto0)/arch-linux-uki-fallback.efi
}
All files are PGP signed and the corresponding .sig files are in place.
Booting without SecureBoot works smoothless.
The machine does not has a TPM, therefore i omitted the tpm module for
grub-install.
Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and /boot
gets unlocked an accesible via (crypto0)
Theme, fonts, and additional modules get loaded and verified via PGP.
Only the UKI images fail to load
I tried:
to EFI Sign the UKI files with sbctl
to PGP Sign the UKI files
to EFI and after that PGP sign the UKI files
in all these three constellations i receive
error: cannot load image.
When i dont put the sig files for the images i receive a more understandable:
error: bad signature.
So it seems grub checks signature and validates, but then later it hangs up on
smth?
Any idea why i cant load the images?
I also tried to load a conventional initrd and linux kernel, also not possible.
Any possibility to debug what exactly grub is trying to load and where the
verification process/loading process halts?
As the Firmware start grub just fine, this seems a problem of grubs
loading/verification for me.
With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot enabled.
Looking for any advise
Rodolfo