> I can boot the UKI EFI File without Secureboot directly from USB Drive or the > ESP, so the UKI is fine. > With Secureboot enabled i can Boot the UKI from USB or ESP and no Problem > arises. > > UKI is also totally fine, this is a GRUB Bug. > How to debug this > >
-- Sent with Tuta; enjoy secure & ad-free emails: https://tuta.com Jan 18, 2024, 13:57 by bug-grub@gnu.org: > > Hello, > >> >> my setup is as follows: >> Thinkpad T540 machine with no TPM. >> >> ESP as FAT32 /efi >> LUKS2 encrypted bootpartition /boot >> LUKS2 encrypted root / >> >> Unified Kernel Images generated and located in root of /boot >> >> I deployed the SecureBoot keys with sbctl. >> The grubx64.efi gets verified and loaded by Firmware successfully. >> It contains embedded PGP key used to sign all the files loaded after >> unlocking the LUKS2 boot. >> >> My grub-install command: >> grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot >> --efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa >> gcry_rsa crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2 >> gcry_rijndael gcry_sha256 ext2" --pubkey=/boot/gpg/grub.pub >> >> >> My boot.cfg: >> >> insmod part_gpt >> insmod part_msdos >> insmod all_video >> insmod fat >> insmod chain >> >> set default="0" >> >> # More readable font on high dpi screen, generated with >> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2 >> --size=24 /usr/share/fonts/TTF/DejaVuSansMono.ttf >> >> #for non hiDPI Screen >> #font=unicode >> font=DejaVuSansMono24 >> >> if loadfont $font ; then >> set gfxmode=auto >> insmod gfxterm >> set locale_dir=$prefix/locale >> set lang=en_US >> insmod gettext >> fi >> terminal_input console >> terminal_output gfxterm >> set timeout_style=menu >> set timeout=3 >> >> if [ "$grub_platform" = "efi" ]; then >> insmod bli >> fi >> >> ## set Theme >> insmod png >> insmod gfxmenu >> loadfont $prefix/themes/default/terminus-12.pf2 >> loadfont $prefix/themes/default/terminus-14.pf2 >> loadfont $prefix/themes/default/terminus-16.pf2 >> loadfont $prefix/themes/default/terminus-18.pf2 >> loadfont $prefix/themes/default/ubuntu_regular_17.pf2 >> loadfont $prefix/themes/default/ubuntu_regular_20.pf2 >> set theme=$prefix/themes/default/theme-hidpi.txt >> export theme >> >> #we need to set root to some partition which is not encrypted, otherwise the >> UKI's > embedded > EFI Stub complains and fails load >> function setESP { >> root="" >> search --file --no-floppy --hint hd0,gpt1 --set=root >> /EFI/GRUB/grubx64.efi >> if [ -z "$root" ]; then >> root=(hd0,gpt1) >> fi >> } >> >> menuentry "Arch Linux UKI Image" { >> setESP >> #echo 'Loading Linux Unified Kernel Image from boot' >> chainloader (crypto0)/arch-linux-uki.efi >> } >> >> menuentry "Arch Linux Fallback UKI Image" { >> setESP >> #echo 'Loading Linux Fallback Unified Kernel Image from boot' >> chainloader (crypto0)/arch-linux-uki-fallback.efi >> } >> All files are PGP signed and the corresponding .sig files are in place. >> Booting without SecureBoot works smoothless. >> >> The machine does not has a TPM, therefore i omitted the tpm module for >> grub-install. >> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and >> /boot gets unlocked an accesible via (crypto0) >> Theme, fonts, and additional modules get loaded and verified via PGP. >> Only the UKI images fail to load >> I tried: >> to EFI Sign the UKI files with sbctl >> to PGP Sign the UKI files >> to EFI and after that PGP sign the UKI files >> in all these three constellations i receive >> error: cannot load image. >> >> When i dont put the sig files for the images i receive a more understandable: >> error: bad signature. >> So it seems grub checks signature and validates, but then later it hangs up >> on smth? >> Any idea why i cant load the images? >> >> I also tried to load a conventional initrd and linux kernel, also not >> possible. >> Any possibility to debug what exactly grub is trying to load and where the >> verification process/loading process halts? >> >> As the Firmware start grub just fine, this seems a problem of grubs >> loading/verification for me. >> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot >> enabled. >> >> Looking for any advise >> >> Rodolfo >> >> -- >> Sent with Tuta; enjoy secure & ad-free emails: >> https://tuta.com >>