On Fri, Jan 19, 2024 at 3:45 AM <[email protected]> wrote: > > I can boot the UKI EFI File without Secureboot directly from USB Drive or the > ESP, so the UKI is fine. > With Secureboot enabled i can Boot the UKI from USB or ESP and no Problem > arises. > > UKI is also totally fine, this is a GRUB Bug.
The message is printed immediately after the call to UEFI LoadImage. So the firmware refused this image for whatever reason. > How to debug this > Modify grub to print EFI error code, this may give a starting point. > > Jan 18, 2024, 17:35 by [email protected]: > > > On 18.01.2024 07:18, rodolfosilva2--- via Support requests for the GRand > > Unified Bootloader wrote: > > > >> Hello, > >> > >> my setup is as follows: > >> Thinkpad T540 machine with no TPM. > >> > >> ESP as FAT32 /efi > >> LUKS2 encrypted bootpartition /boot > >> LUKS2 encrypted root / > >> > >> Unified Kernel Images generated and located in root of /boot > >> > >> I deployed the SecureBoot keys with sbctl. > >> The grubx64.efi gets verified and loaded by Firmware successfully. > >> It contains embedded PGP key used to sign all the files loaded after > >> unlocking the LUKS2 boot. > >> > >> My grub-install command: > >> grub-install --target=x86_64-efi --bootloader-id=GRUB > >> --boot-directory=/boot --efi-directory=/efi --disable-shim-lock > >> --modules="gcry_sha512 gcry_dsa gcry_rsa crypto pgp luks2 part_gpt > >> part_msdos cryptodisk pbkdf2 gcry_rijndael gcry_sha256 ext2" > >> --pubkey=/boot/gpg/grub.pub > >> > >> My boot.cfg: > >> > >> insmod part_gpt > >> insmod part_msdos > >> insmod all_video > >> insmod fat > >> insmod chain > >> set default="0" > >> # More readable font on high dpi screen, generated with > >> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2 > >> --size=24 /usr/share/fonts/TTF/DejaVuSansMono.ttf > >> #for non hiDPI Screen > >> #font=unicode > >> font=DejaVuSansMono24 > >> if loadfont $font ; then > >> set gfxmode=auto > >> insmod gfxterm > >> set locale_dir=$prefix/locale > >> set lang=en_US > >> insmod gettext > >> fi > >> terminal_input console > >> terminal_output gfxterm > >> set timeout_style=menu > >> set timeout=3 > >> if [ "$grub_platform" = "efi" ]; then > >> insmod bli > >> fi > >> ## set Theme > >> insmod png > >> insmod gfxmenu > >> loadfont $prefix/themes/default/terminus-12.pf2 > >> loadfont $prefix/themes/default/terminus-14.pf2 > >> loadfont $prefix/themes/default/terminus-16.pf2 > >> loadfont $prefix/themes/default/terminus-18.pf2 > >> loadfont $prefix/themes/default/ubuntu_regular_17.pf2 > >> loadfont $prefix/themes/default/ubuntu_regular_20.pf2 > >> set theme=$prefix/themes/default/theme-hidpi.txt > >> export theme > >> #we need to set root to some partition which is not encrypted, otherwise > >> the UKI's embedded EFI Stub complains and fails load > >> function setESP { > >> root="" > >> search --file --no-floppy --hint hd0,gpt1 --set=root > >> /EFI/GRUB/grubx64.efi > >> if [ -z "$root" ]; then > >> root=(hd0,gpt1) > >> fi > >> } > >> menuentry "Arch Linux UKI Image" { > >> setESP > >> #echo 'Loading Linux Unified Kernel Image from boot' > >> chainloader (crypto0)/arch-linux-uki.efi > >> } > >> menuentry "Arch Linux Fallback UKI Image" { > >> setESP > >> #echo 'Loading Linux Fallback Unified Kernel Image from boot' > >> chainloader (crypto0)/arch-linux-uki-fallback.efi > >> } > >> All files are PGP signed and the corresponding .sig files are in place. > >> > > > > It has nothing to do with Secure Boot. > > > >> Booting without SecureBoot works smoothless. > >> > >> The machine does not has a TPM, therefore i omitted the tpm module for > >> grub-install. > >> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and > >> /boot gets unlocked an accesible via (crypto0) > >> Theme, fonts, and additional modules get loaded and verified via PGP. > >> Only the UKI images fail to load > >> I tried: > >> to EFI Sign the UKI files with sbctl > >> to PGP Sign the UKI files > >> to EFI and after that PGP sign the UKI files > >> in all these three constellations i receive > >> error: cannot load image. > >> > > > > Can you load the same UKI image directly by firmware? > > > >> When i dont put the sig files for the images i receive a more > >> understandable: > >> error: bad signature. > >> So it seems grub checks signature and validates, but then later it hangs > >> up on smth? > >> Any idea why i cant load the images? > >> > >> I also tried to load a conventional initrd and linux kernel, also not > >> possible. > >> Any possibility to debug what exactly grub is trying to load and where the > >> verification process/loading process halts? > >> > >> As the Firmware start grub just fine, this seems a problem of grubs > >> loading/verification for me. > >> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot > >> enabled. > >> > >> Looking for any advise > >> > >> Rodolfo > >> >
