Re: Cant chainload UKI Image with Secureboot on

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cant chainload UKI Image with Secureboot on

From:	Andrei Borzenkov
Subject:	Re: Cant chainload UKI Image with Secureboot on
Date:	Fri, 19 Jan 2024 14:04:20 +0300

On Fri, Jan 19, 2024 at 3:45 AM <rodolfosilva2@tutanota.com> wrote:
>
> I can boot the UKI EFI File without Secureboot directly from USB Drive or the 
> ESP, so the UKI is fine.
> With Secureboot enabled i can Boot the UKI from USB or ESP and no Problem 
> arises.
>
> UKI is also totally fine, this is a GRUB Bug.

The message is printed immediately after the call to UEFI LoadImage.
So the firmware refused this image for whatever reason.

> How to debug this
>

Modify grub to print EFI error code, this may give a starting point.

>
> Jan 18, 2024, 17:35 by arvidjaar@gmail.com:
>
> > On 18.01.2024 07:18, rodolfosilva2--- via Support requests for the GRand 
> > Unified Bootloader wrote:
> >
> >> Hello,
> >>
> >> my setup is as follows:
> >> Thinkpad T540 machine with no TPM.
> >>
> >> ESP as FAT32 /efi
> >> LUKS2 encrypted bootpartition  /boot
> >> LUKS2 encrypted root /
> >>
> >> Unified Kernel Images generated and located in root of /boot
> >>
> >> I deployed the SecureBoot keys with sbctl.
> >> The grubx64.efi gets verified and loaded by Firmware successfully.
> >> It contains embedded PGP key used to sign all the files loaded after 
> >> unlocking the LUKS2 boot.
> >>
> >> My grub-install command:
> >> grub-install --target=x86_64-efi --bootloader-id=GRUB 
> >> --boot-directory=/boot --efi-directory=/efi --disable-shim-lock 
> >> --modules="gcry_sha512 gcry_dsa gcry_rsa crypto pgp luks2 part_gpt 
> >> part_msdos cryptodisk pbkdf2 gcry_rijndael gcry_sha256 ext2" 
> >> --pubkey=/boot/gpg/grub.pub
> >>
> >> My boot.cfg:
> >>
> >> insmod part_gpt
> >> insmod part_msdos
> >> insmod all_video
> >> insmod fat
> >> insmod chain
> >>  set default="0"
> >>  # More readable font on high dpi screen, generated with
> >> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2   
> >> --size=24 /usr/share/fonts/TTF/DejaVuSansMono.ttf
> >>  #for non hiDPI Screen
> >> #font=unicode
> >> font=DejaVuSansMono24
> >>  if loadfont $font ; then
> >>   set gfxmode=auto
> >>   insmod gfxterm
> >>   set locale_dir=$prefix/locale
> >>   set lang=en_US
> >>   insmod gettext
> >> fi
> >> terminal_input console
> >> terminal_output gfxterm
> >> set timeout_style=menu
> >> set timeout=3
> >>  if [ "$grub_platform" = "efi" ]; then
> >>   insmod bli
> >> fi
> >>  ## set Theme
> >> insmod png
> >> insmod gfxmenu
> >> loadfont $prefix/themes/default/terminus-12.pf2
> >> loadfont $prefix/themes/default/terminus-14.pf2
> >> loadfont $prefix/themes/default/terminus-16.pf2
> >> loadfont $prefix/themes/default/terminus-18.pf2
> >> loadfont $prefix/themes/default/ubuntu_regular_17.pf2
> >> loadfont $prefix/themes/default/ubuntu_regular_20.pf2
> >> set theme=$prefix/themes/default/theme-hidpi.txt
> >> export theme
> >>  #we need to set root to some partition which is not encrypted, otherwise 
> >> the   UKI's embedded EFI Stub complains and fails load
> >> function setESP {
> >>         root=""
> >>         search --file --no-floppy --hint hd0,gpt1 --set=root 
> >> /EFI/GRUB/grubx64.efi
> >>         if [ -z "$root" ]; then
> >>                 root=(hd0,gpt1)
> >>         fi
> >> }
> >>  menuentry "Arch Linux UKI Image" {
> >>         setESP
> >>         #echo 'Loading Linux Unified Kernel Image from boot'
> >>         chainloader (crypto0)/arch-linux-uki.efi
> >> }
> >>  menuentry "Arch Linux Fallback UKI Image" {
> >>         setESP
> >>         #echo 'Loading Linux Fallback Unified Kernel Image from boot'
> >>         chainloader (crypto0)/arch-linux-uki-fallback.efi
> >> }
> >> All files are PGP signed and the corresponding .sig files are in place.
> >>
> >
> > It has nothing to do with Secure Boot.
> >
> >> Booting without SecureBoot works smoothless.
> >>
> >> The machine does not has a TPM, therefore i omitted the tpm module for 
> >> grub-install.
> >> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and 
> >> /boot gets unlocked an accesible via (crypto0)
> >> Theme, fonts, and additional modules get loaded and verified via PGP.
> >> Only the UKI images fail to load
> >> I tried:
> >> to EFI Sign the UKI files with sbctl
> >> to PGP Sign the UKI files
> >> to EFI and after that PGP sign the UKI files
> >> in all these three constellations i receive
> >> error: cannot load image.
> >>
> >
> > Can you load the same UKI image directly by firmware?
> >
> >> When i dont put the sig files for the images i receive a more 
> >> understandable:
> >> error: bad signature.
> >> So it seems grub checks signature and validates, but then later it hangs 
> >> up on smth?
> >> Any idea why i cant load the images?
> >>
> >> I also tried to load a conventional initrd and linux kernel, also not 
> >> possible.
> >> Any possibility to debug what exactly grub is trying to load and where the 
> >> verification process/loading process halts?
> >>
> >> As the Firmware start grub just fine, this seems a problem of grubs 
> >> loading/verification for me.
> >> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot 
> >> enabled.
> >>
> >> Looking for any advise
> >>
> >> Rodolfo
> >>
>

[Prev in Thread]

Current Thread

[Next in Thread]

Cant chainload UKI Image with Secureboot on, rodolfosilva2, 2024/01/18
- Re: Cant chainload UKI Image with Secureboot on, Andrei Borzenkov, 2024/01/18
- Message not available
  - Re: Cant chainload UKI Image with Secureboot on, rodolfosilva2, 2024/01/18
    - Re: Cant chainload UKI Image with Secureboot on, Andrei Borzenkov <=

Prev by Date: Re: Uniquely Identifying USB filesystem possible?
Next by Date: Loading multiboot failed
Previous by thread: Re: Cant chainload UKI Image with Secureboot on
Next by thread: Loading multiboot failed
Index(es):
- Date
- Thread