help-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: x86_64: grub-install for secure boot


From: Andrei Borzenkov
Subject: Re: x86_64: grub-install for secure boot
Date: Fri, 28 Jul 2023 18:58:17 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0

On 28.07.2023 18:52, Zvi Vered wrote:
Hi Andrei,

Knoppix sees the sata HD where I installed grub as /dev/sdb
In this HD I created /dev/sdb1 in which I installed grub.
In the PC boot menu, it's marked "debian".

What makes you think "debian" refers to whatever you installed?

Show full output of

efibootmgr -v

I selected this entry in the boot menu but managed to boot only when
secure boot was disabled.

Thank you,
Zvika

On Fri, Jul 28, 2023 at 6:29 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:

On 28.07.2023 16:14, Zvi Vered wrote:
Hi Pascal,

As you suggested I changed the shim to x64.
The output of: apt list --installed | grep shim is now:

----------------------------------------------------------------------------------------------------------------------------------------
shim-helpers-amd64-signed/stable,testing,unstable,now 1+15.7+1 amd64
[installed,automatic]
shim-signed-common/stable,stable,testing,testing,unstable,unstable,now
1.39+15.7-1 all [installed,automatic]
shim-signed/stable,testing,unstable,now 1.39+15.7-1 amd64 [installed]
shim-unsigned/stable,testing,unstable,now 15.7-1 amd64 [installed,automatic]
----------------------------------------------------------------------------------------------------------------------------------------

Then I ran:

mkfs.fat -F32 /dev/sdb1
mount -t vfat /dev/sdb1 /media/sdb1
grub-install --boot-directory=/media/sdb1/boot
--efi-directory=/media/sdb1 --uefi-secure-boot --debug

Attached the output of grub-install. I do not see any errors.
The last lines are:
----------------------------------------------------------------------------------------------------------------------------------------
grub-install: info: adding 211 padding fixup entries.
grub-install: info: writing 744 bytes of a fixup block starting at 0x10000.
grub-install: info: reading /usr/lib/grub/x86_64-efi/fshelp.mod.
grub-install: info: reading /usr/lib/grub/x86_64-efi/fat.mod.
grub-install: info: reading /usr/lib/grub/x86_64-efi/part_msdos.mod.
grub-install: info: reading /usr/lib/grub/x86_64-efi/search_fs_uuid.mod.
grub-install: info: reading /media/sdb1/boot/grub/x86_64-efi/load.cfg.
grub-install: info: kernel_img=0x56913990, kernel_size=0x1c000.
grub-install: info: the core size is 0x21198.
grub-install: info: writing 0x24000 bytes.
grub-install: info: copying `/usr/lib/shim/shimx64.efi.signed' ->
`/media/sdb1/EFI/debian/shimx64.efi'.
grub-install: info: copying
`/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed' ->
`/media/sdb1/EFI/debian/grubx64.efi'.
grub-install: info: copying `/usr/lib/shim/mmx64.efi.signed' ->
`/media/sdb1/EFI/debian/mmx64.efi'.
grub-install: info: copying `/usr/lib/shim/fbx64.efi.signed' ->
`/media/sdb1/EFI/debian/fbx64.efi'.
grub-install: info: copying `/usr/lib/shim/BOOTX64.CSV' ->
`/media/sdb1/EFI/debian/BOOTX64.CSV'.
grub-install: info: copying
`/media/sdb1/boot/grub/x86_64-efi/load.cfg' ->
`/media/sdb1/EFI/debian/grub.cfg'.
grub-install: info: Registering with EFI: distributor = `debian', path
= `\EFI\debian\shimx64.efi', ESP at hostdisk//dev/sdb,msdos1.
grub-install: info: executing modprobe efivars 2>/dev/null.
grub-install: warning: EFI variables are not supported on this system..
Installation finished. No error reported.
-------------------------------------------------------------------------------------------------------------------------------------------------------
In the attached file I noticed info messages like:
grub-install: info: cannot open
`/usr/share/locale/be/LC_MESSAGES/grub.mo': No such file or directory.

But I still get the red message after booting from /dev/sdb

There is no such thing as "booting from /dev/sdb" in EFI. EFI loads
programs according to BootXXXX and BootOrder variables. Implementations
may offer "boot from disk" option meaning "load \EFI\Boot\bootx64.efi",
but that is implementation defined.

You need to explain what "boot from /dev/sdb" actually means and does.

Is there a way to know what files are not properly signed ?
Should I also sign grub.cfg and maybe other files ?

Highly appreciate your help,
Zvika



On Fri, Jul 28, 2023 at 9:52 AM Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

On 28/07/2023 at 00:54, Zvi Vered wrote:

apt list --installed | grep shim
is:
shim-helpers-i386-signed/stable,testing,unstable,now 1+15.7+1 i386
[installed,automatic]
shim-signed-common/stable,stable,testing,testing,unstable,unstable,now
1.39+15.7-1 all [installed,automatic]
shim-signed/stable,testing,unstable,now 1.39+15.7-1 i386 [installed]
shim-unsigned/stable,testing,unstable,now 15.7-1 i386 [installed,automatic]

You need shim packages for amd64, not i386.

The contents of /media/sdb1/EFI is:
/media/sdb1/EFI
                         |------debian
                                     |-------grubx64.efi
                                     |-------grub.cfg







reply via email to

[Prev in Thread] Current Thread [Next in Thread]