Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:36, Steve McIntyre escribió: It brings all this upside down, and it's already spinning me around. I have followed this: https://wiki.debian.org/GrubEFIReinstall Best of all, it had another entry that led me to another file that did have the GRUB signature, but for "Secure Boot". In /boot/efi/EFI I have all this: root@local:/boot/efi/EFI# ls -l total 16 drwx-- 4 root root 4096 abr 28 11:31 . drwx-- 4 root root 4096 ene 1 1970 .. drwx-- 2 root root 4096 abr 28 01:48 boot drwx-- 2 root root 4096 abr 28 01:48 debian In boot is only bootx64.efi In debian only grubx64.efi and grub.cfg (this files only executing on the without "Secure Boot". I created an entry with the efibootmgr command, as follows: efibootmgr -c -d /dev/sda -p 1 -L Debian -l /EFI/boot/bootx64.efi I had 2 entries, which are somewhat similar, and I remember that I had to have another file called efiboot.efi, or something like that, which did come signed. What do I think is with the file grubnetx64.efi.signed or grubnetx64-installer.efi.signed (I see that they are 2 files the same, but with different input methods. These are in the grub-efi-amd-signed package). But I don't remember how I regenerate this, although I do have this: BootCurrent: 0001 Timeout: 1 seconds BootOrder: 0001, Boot* Windows Boot Manager HD(2,GPT,c2bdbf40-04ac-41ad-9773-c5d874927e08,0x109000,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.} Boot0001* debian HD(1,GPT,569385db-cb51-4599-b31b-fc1791d4bd0e,0x800,0x10)/File(\EFI\debian\grubx64.efi). I had to delete one of the entries I have from efiboot.efi, because it did not work for me. And I had to format the ESP partition of the EFI this. Now I don't know how to regenerate all this. I did everything, I've been thinking about this for almost 24 hours, because I thought it was my fault, but no. I will have to reinstall everything from scratch. Thanks. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:36, Steve McIntyre escribió: Hi again.I was thinking about formatting the /boot/efi directory, because I think it's a directory problem, in case 2 appears. Well I see one in / boot/efi/Boot, with another one that is in /boot/efi/EFI/debian, because there is another one from debian, that is in /boot/efi/debian. I do not know, if it is because I have 2 directories equal to others, but with these different files that I see, which is the bootx64.efi file, which seems to be 2 sizes. The same is the failure in which it arises. Because these 2 problems can go there. I am sure I would have to fix it quickly later, with the Debian flash drive that I have to do everything in "Rescue Mode". I can do it, because if it doesn't work, it is then, the problem of the packages, for sure. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:36, Steve McIntyre escribió: > Can you run the following for me please? > $ COLUMNS=100 dpkg -l '*grub*' > > We did have a problem with the signed versions of grub binaries taking > a few days to come through the archive, in combination with too-tight > dependencies (bug #958722). That *might* have caused you to uninstall > the grub-efi-amd64-signed by accident. > > Things should now be fixed, I believe - let's see how your system is > set up. I, what I have are these packages: ii grub-common 2.04-7 amd64 GRand Unified Bootloader (common files) ii grub-efi 2.04-7 amd64 GRand Unified Bootloader, version 2 (dummy package) ii grub-efi-amd64 2.04-7 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii grub-efi-amd64-bin 2.04-7 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 modules) ii grub-efi-amd64-signed 1+2.04+7 amd64 GRand Unified Bootloader, version 2 (amd64 UEFI signed by Debian) ii grub-efi-amd64-signed-template 2.04-7 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 signing template) ii grub2-common 2.04-7 amd64 GRand Unified Bootloader (common files for version 2) With "grub-install / dev / sda" I had no problems, nor with "update-grub". Which doesn't tell me anything. Which does not give me errors. It's weird, because it doesn't tell me anything. Possibly what you are saying, which is due to the problem of the grub-efi-amd64-signed package, that I have installed. I don't see another one, because without "Secure Boot" I fit perfectly, with "Secure Boot" not. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
On Mon, Apr 27, 2020 at 05:25:10PM +0200, Santiago José López Borrazás wrote: >El 27/4/20 a las 17:07, Steve McIntyre escribió: >> I'm sorry, I don't understand what you're saying here. Can you please >> explain a little more? What exactly are you trying to do? What exactly >> is happening that you don't expect? >Nothing, installing the new Grub 2.0.4-7 packages, which are already in the >unstable branch. > >It is that, it is rare, that when I tried to install everything, the boot in >safe mode does not recognize me in UEFI mode. I had to remove the "Secure >boot" to enter Linux, because in another Win partition it does work. > >I did nothing, just install the packages that had to be for the boot to work >in EFI. > >Therefore, it does not allow me to enter "secure boot", if I remove it, I >enter perfectly. > >This, in 2.0.4-6, does not happen to me, or that I have not had any problem, >and yes in this new version. And it's weird. Can you run the following for me please? $ COLUMNS=100 dpkg -l '*grub*' We did have a problem with the signed versions of grub binaries taking a few days to come through the archive, in combination with too-tight dependencies (bug #958722). That *might* have caused you to uninstall the grub-efi-amd64-signed by accident. Things should now be fixed, I believe - let's see how your system is set up. -- Steve McIntyre, Cambridge, UK.st...@einval.com "You can't barbecue lettuce!" -- Ellie Crane
Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:07, Steve McIntyre escribió: > I'm sorry, I don't understand what you're saying here. Can you please > explain a little more? What exactly are you trying to do? What exactly > is happening that you don't expect? Nothing, installing the new Grub 2.0.4-7 packages, which are already in the unstable branch. It is that, it is rare, that when I tried to install everything, the boot in safe mode does not recognize me in UEFI mode. I had to remove the "Secure boot" to enter Linux, because in another Win partition it does work. I did nothing, just install the packages that had to be for the boot to work in EFI. Therefore, it does not allow me to enter "secure boot", if I remove it, I enter perfectly. This, in 2.0.4-6, does not happen to me, or that I have not had any problem, and yes in this new version. And it's weird. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
Hi Santiago, On Sun, Apr 26, 2020 at 08:38:57PM +0200, Santiago José López Borrazás wrote: >Package: grub-efi >Version: 2.04-7 >Severity: important > >Dear Maintainer, > >The new version of GRUB, which is 2.0.4-7, I find a problem that does not sign, >or does not collect the EFI signature, that for this, I have to disable the >"Secure Boot" implementation, because it does not load even the of three. > >I already tried with the Debian pendrive to install and load the GRUB, along >with the command "update-grub", but nothing, I have to disable the "Secure >Boot" to do this job, because it does not load. > >In the previous version, which was 2.0.4-6, it did load perfectly, but this >other version, no, not even in dreams. > >This that I give, is through the secondary disk, which is /dev/sda. I'm sorry, I don't understand what you're saying here. Can you please explain a little more? What exactly are you trying to do? What exactly is happening that you don't expect? -- Steve McIntyre, Cambridge, UK.st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Bug#958925: grub-efi: Does not sign EFI entries.
Package: grub-efi Version: 2.04-7 Severity: important Dear Maintainer, The new version of GRUB, which is 2.0.4-7, I find a problem that does not sign, or does not collect the EFI signature, that for this, I have to disable the "Secure Boot" implementation, because it does not load even the of three. I already tried with the Debian pendrive to install and load the GRUB, along with the command "update-grub", but nothing, I have to disable the "Secure Boot" to do this job, because it does not load. In the previous version, which was 2.0.4-6, it did load perfectly, but this other version, no, not even in dreams. This that I give, is through the secondary disk, which is /dev/sda. -- Package-specific info: *** BEGIN /proc/mounts /dev/sda2 / ext4 rw,noatime,nobarrier,errors=remount-ro 0 0 /dev/loop2 /snap/spotify/41 squashfs ro,nodev,relatime 0 0 /dev/loop1 /snap/core18/1705 squashfs ro,nodev,relatime 0 0 /dev/loop0 /snap/snapd/7264 squashfs ro,nodev,relatime 0 0 /dev/sda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/sda4 /home ext4 rw,noatime,nobarrier 0 0 *** END /proc/mounts *** BEGIN /boot/grub/grub.cfg # # DO NOT EDIT THIS FILE # # It is automatically generated by grub-mkconfig using templates # from /etc/grub.d and settings from /etc/default/grub # ### BEGIN /etc/grub.d/00_header ### if [ -s $prefix/grubenv ]; then set have_grubenv=true load_env fi if [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true else set default="0" fi if [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id" else menuentry_id_option="" fi export menuentry_id_option if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true fi function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi } function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi } terminal_input console terminal_output console if [ "${recordfail}" = 1 ] ; then set timeout=30 else if [ x$feature_timeout_style = xy ] ; then set timeout_style=menu set timeout=5 # Fallback normal timeout code in case the timeout_style feature is # unavailable. else set timeout=5 fi fi ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/05_debian_theme ### set menu_color_normal=cyan/blue set menu_color_highlight=white/blue ### END /etc/grub.d/05_debian_theme ### ### BEGIN /etc/grub.d/10_linux ### function gfxmode { set gfxpayload="${1}" } set linux_gfx_mode= export linux_gfx_mode menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-8a5321fa-c430-49f8-a226-99174412a978' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 set root='hd0,gpt2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8a5321fa-c430-49f8-a226-99174412a978 else search --no-floppy --fs-uuid --set=root 8a5321fa-c430-49f8-a226-99174412a978 fi echo'Loading Linux 5.5.0-2-amd64 ...' linux /boot/vmlinuz-5.5.0-2-amd64 root=UUID=8a5321fa-c430-49f8-a226-99174412a978 ro quiet i915.enable_psr=0 echo'Loading initial ramdisk ...' initrd /boot/initrd.img-5.5.0-2-amd64 } submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-8a5321fa-c430-49f8-a226-99174412a978' { menuentry 'Debian GNU/Linux, with Linux 5.5.0-2-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.5.0-2-amd64-advanced-8a5321fa-c430-49f8-a226-99174412a978' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 set root='hd0,gpt2' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 8a5321fa-c430-49f8-a226-99174412a978 else search --no-floppy --fs-uuid --set=root 8a5321fa-c430-49f8-a226-99174412a978 fi echo'Loading Linux 5.5.0-2-amd64 ...' linux /boot/vmlinuz-5.5.0-2-amd64