Re: Cant chainload UKI Image with Secureboot on

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cant chainload UKI Image with Secureboot on

From:	rodolfosilva2
Subject:	Re: Cant chainload UKI Image with Secureboot on
Date:	Fri, 19 Jan 2024 01:45:02 +0100 (CET)

I can boot the UKI EFI File without Secureboot directly from USB Drive or the 
ESP, so the UKI is fine.
With Secureboot enabled i can Boot the UKI from USB or ESP and no Problem 
arises.

UKI is also totally fine, this is a GRUB Bug.
How to debug this


Jan 18, 2024, 17:35 by arvidjaar@gmail.com:

> On 18.01.2024 07:18, rodolfosilva2--- via Support requests for the GRand 
> Unified Bootloader wrote:
>
>> Hello,
>>
>> my setup is as follows:
>> Thinkpad T540 machine with no TPM.
>>
>> ESP as FAT32 /efi
>> LUKS2 encrypted bootpartition  /boot
>> LUKS2 encrypted root /
>>
>> Unified Kernel Images generated and located in root of /boot
>>
>> I deployed the SecureBoot keys with sbctl.
>> The grubx64.efi gets verified and loaded by Firmware successfully.
>> It contains embedded PGP key used to sign all the files loaded after 
>> unlocking the LUKS2 boot.
>>
>> My grub-install command:
>> grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot 
>> --efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa 
>> gcry_rsa crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2 
>> gcry_rijndael gcry_sha256 ext2" --pubkey=/boot/gpg/grub.pub
>>
>> My boot.cfg:
>>
>> insmod part_gpt
>> insmod part_msdos
>> insmod all_video
>> insmod fat
>> insmod chain
>>  set default="0"
>>  # More readable font on high dpi screen, generated with
>> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2   
>> --size=24 /usr/share/fonts/TTF/DejaVuSansMono.ttf
>>  #for non hiDPI Screen
>> #font=unicode
>> font=DejaVuSansMono24
>>  if loadfont $font ; then
>>   set gfxmode=auto
>>   insmod gfxterm
>>   set locale_dir=$prefix/locale
>>   set lang=en_US
>>   insmod gettext
>> fi
>> terminal_input console
>> terminal_output gfxterm
>> set timeout_style=menu
>> set timeout=3
>>  if [ "$grub_platform" = "efi" ]; then
>>   insmod bli
>> fi
>>  ## set Theme
>> insmod png
>> insmod gfxmenu
>> loadfont $prefix/themes/default/terminus-12.pf2
>> loadfont $prefix/themes/default/terminus-14.pf2
>> loadfont $prefix/themes/default/terminus-16.pf2
>> loadfont $prefix/themes/default/terminus-18.pf2
>> loadfont $prefix/themes/default/ubuntu_regular_17.pf2
>> loadfont $prefix/themes/default/ubuntu_regular_20.pf2
>> set theme=$prefix/themes/default/theme-hidpi.txt
>> export theme
>>  #we need to set root to some partition which is not encrypted, otherwise 
>> the   UKI's embedded EFI Stub complains and fails load
>> function setESP {
>>         root=""
>>         search --file --no-floppy --hint hd0,gpt1 --set=root 
>> /EFI/GRUB/grubx64.efi
>>         if [ -z "$root" ]; then
>>                 root=(hd0,gpt1)
>>         fi
>> }
>>  menuentry "Arch Linux UKI Image" {
>>         setESP
>>         #echo 'Loading Linux Unified Kernel Image from boot'
>>         chainloader (crypto0)/arch-linux-uki.efi
>> }
>>  menuentry "Arch Linux Fallback UKI Image" {
>>         setESP
>>         #echo 'Loading Linux Fallback Unified Kernel Image from boot'
>>         chainloader (crypto0)/arch-linux-uki-fallback.efi
>> }
>> All files are PGP signed and the corresponding .sig files are in place.
>>
>
> It has nothing to do with Secure Boot.
>
>> Booting without SecureBoot works smoothless.
>>
>> The machine does not has a TPM, therefore i omitted the tpm module for 
>> grub-install.
>> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and 
>> /boot gets unlocked an accesible via (crypto0)
>> Theme, fonts, and additional modules get loaded and verified via PGP.
>> Only the UKI images fail to load
>> I tried:
>> to EFI Sign the UKI files with sbctl
>> to PGP Sign the UKI files
>> to EFI and after that PGP sign the UKI files
>> in all these three constellations i receive
>> error: cannot load image.
>>
>
> Can you load the same UKI image directly by firmware?
>
>> When i dont put the sig files for the images i receive a more understandable:
>> error: bad signature.
>> So it seems grub checks signature and validates, but then later it hangs up 
>> on smth?
>> Any idea why i cant load the images?
>>
>> I also tried to load a conventional initrd and linux kernel, also not 
>> possible.
>> Any possibility to debug what exactly grub is trying to load and where the 
>> verification process/loading process halts?
>>
>> As the Firmware start grub just fine, this seems a problem of grubs 
>> loading/verification for me.
>> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot 
>> enabled.
>>
>> Looking for any advise
>>
>> Rodolfo
>>

[Prev in Thread]

Current Thread

[Next in Thread]

Cant chainload UKI Image with Secureboot on, rodolfosilva2, 2024/01/18
- Re: Cant chainload UKI Image with Secureboot on, Andrei Borzenkov, 2024/01/18
- Message not available
  - Re: Cant chainload UKI Image with Secureboot on, rodolfosilva2 <=
    - Re: Cant chainload UKI Image with Secureboot on, Andrei Borzenkov, 2024/01/19

Prev by Date: Re: Cant chainload UKI Image with Secureboot on
Next by Date: Re: Uniquely Identifying USB filesystem possible?
Previous by thread: Re: Cant chainload UKI Image with Secureboot on
Next by thread: Re: Cant chainload UKI Image with Secureboot on
Index(es):
- Date
- Thread