Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:36, Steve McIntyre escribió:
It brings all this upside down, and it's already spinning me around.
I have followed this:
https://wiki.debian.org/GrubEFIReinstall
Best of all, it had another entry that led me to another file that did have
the GRUB signature, but for "Secure Boot".
In /boot/efi/EFI I have all this:
root@local:/boot/efi/EFI# ls -l
total 16
drwx-- 4 root root 4096 abr 28 11:31 .
drwx-- 4 root root 4096 ene 1 1970 ..
drwx-- 2 root root 4096 abr 28 01:48 boot
drwx-- 2 root root 4096 abr 28 01:48 debian
In boot is only bootx64.efi
In debian only grubx64.efi and grub.cfg (this files only executing on the
without "Secure Boot".
I created an entry with the efibootmgr command, as follows:
efibootmgr -c -d /dev/sda -p 1 -L Debian -l /EFI/boot/bootx64.efi
I had 2 entries, which are somewhat similar, and I remember that I had to
have another file called efiboot.efi, or something like that, which did come
signed. What do I think is with the file grubnetx64.efi.signed or
grubnetx64-installer.efi.signed (I see that they are 2 files the same, but
with different input methods. These are in the grub-efi-amd-signed package).
But I don't remember how I regenerate this, although I do have this:
BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0001,
Boot* Windows Boot Manager
HD(2,GPT,c2bdbf40-04ac-41ad-9773-c5d874927e08,0x109000,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}
Boot0001* debian
HD(1,GPT,569385db-cb51-4599-b31b-fc1791d4bd0e,0x800,0x10)/File(\EFI\debian\grubx64.efi).
I had to delete one of the entries I have from efiboot.efi, because it did
not work for me. And I had to format the ESP partition of the EFI this.
Now I don't know how to regenerate all this.
I did everything, I've been thinking about this for almost 24 hours, because
I thought it was my fault, but no.
I will have to reinstall everything from scratch.
Thanks.
--
Saludos de Santiago José López Borrazás.
Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:36, Steve McIntyre escribió: Hi again.I was thinking about formatting the /boot/efi directory, because I think it's a directory problem, in case 2 appears. Well I see one in / boot/efi/Boot, with another one that is in /boot/efi/EFI/debian, because there is another one from debian, that is in /boot/efi/debian. I do not know, if it is because I have 2 directories equal to others, but with these different files that I see, which is the bootx64.efi file, which seems to be 2 sizes. The same is the failure in which it arises. Because these 2 problems can go there. I am sure I would have to fix it quickly later, with the Debian flash drive that I have to do everything in "Rescue Mode". I can do it, because if it doesn't work, it is then, the problem of the packages, for sure. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:36, Steve McIntyre escribió: > Can you run the following for me please? > $ COLUMNS=100 dpkg -l '*grub*' > > We did have a problem with the signed versions of grub binaries taking > a few days to come through the archive, in combination with too-tight > dependencies (bug #958722). That *might* have caused you to uninstall > the grub-efi-amd64-signed by accident. > > Things should now be fixed, I believe - let's see how your system is > set up. I, what I have are these packages: ii grub-common 2.04-7 amd64 GRand Unified Bootloader (common files) ii grub-efi 2.04-7 amd64 GRand Unified Bootloader, version 2 (dummy package) ii grub-efi-amd64 2.04-7 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii grub-efi-amd64-bin 2.04-7 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 modules) ii grub-efi-amd64-signed 1+2.04+7 amd64 GRand Unified Bootloader, version 2 (amd64 UEFI signed by Debian) ii grub-efi-amd64-signed-template 2.04-7 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 signing template) ii grub2-common 2.04-7 amd64 GRand Unified Bootloader (common files for version 2) With "grub-install / dev / sda" I had no problems, nor with "update-grub". Which doesn't tell me anything. Which does not give me errors. It's weird, because it doesn't tell me anything. Possibly what you are saying, which is due to the problem of the grub-efi-amd64-signed package, that I have installed. I don't see another one, because without "Secure Boot" I fit perfectly, with "Secure Boot" not. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
On Mon, Apr 27, 2020 at 05:25:10PM +0200, Santiago José López Borrazás wrote: >El 27/4/20 a las 17:07, Steve McIntyre escribió: >> I'm sorry, I don't understand what you're saying here. Can you please >> explain a little more? What exactly are you trying to do? What exactly >> is happening that you don't expect? >Nothing, installing the new Grub 2.0.4-7 packages, which are already in the >unstable branch. > >It is that, it is rare, that when I tried to install everything, the boot in >safe mode does not recognize me in UEFI mode. I had to remove the "Secure >boot" to enter Linux, because in another Win partition it does work. > >I did nothing, just install the packages that had to be for the boot to work >in EFI. > >Therefore, it does not allow me to enter "secure boot", if I remove it, I >enter perfectly. > >This, in 2.0.4-6, does not happen to me, or that I have not had any problem, >and yes in this new version. And it's weird. Can you run the following for me please? $ COLUMNS=100 dpkg -l '*grub*' We did have a problem with the signed versions of grub binaries taking a few days to come through the archive, in combination with too-tight dependencies (bug #958722). That *might* have caused you to uninstall the grub-efi-amd64-signed by accident. Things should now be fixed, I believe - let's see how your system is set up. -- Steve McIntyre, Cambridge, UK.st...@einval.com "You can't barbecue lettuce!" -- Ellie Crane
Bug#958925: grub-efi: Does not sign EFI entries.
El 27/4/20 a las 17:07, Steve McIntyre escribió: > I'm sorry, I don't understand what you're saying here. Can you please > explain a little more? What exactly are you trying to do? What exactly > is happening that you don't expect? Nothing, installing the new Grub 2.0.4-7 packages, which are already in the unstable branch. It is that, it is rare, that when I tried to install everything, the boot in safe mode does not recognize me in UEFI mode. I had to remove the "Secure boot" to enter Linux, because in another Win partition it does work. I did nothing, just install the packages that had to be for the boot to work in EFI. Therefore, it does not allow me to enter "secure boot", if I remove it, I enter perfectly. This, in 2.0.4-6, does not happen to me, or that I have not had any problem, and yes in this new version. And it's weird. -- Saludos de Santiago José López Borrazás. Enviando desde Mozilla Thunderbird.
Bug#958925: grub-efi: Does not sign EFI entries.
Hi Santiago, On Sun, Apr 26, 2020 at 08:38:57PM +0200, Santiago José López Borrazás wrote: >Package: grub-efi >Version: 2.04-7 >Severity: important > >Dear Maintainer, > >The new version of GRUB, which is 2.0.4-7, I find a problem that does not sign, >or does not collect the EFI signature, that for this, I have to disable the >"Secure Boot" implementation, because it does not load even the of three. > >I already tried with the Debian pendrive to install and load the GRUB, along >with the command "update-grub", but nothing, I have to disable the "Secure >Boot" to do this job, because it does not load. > >In the previous version, which was 2.0.4-6, it did load perfectly, but this >other version, no, not even in dreams. > >This that I give, is through the secondary disk, which is /dev/sda. I'm sorry, I don't understand what you're saying here. Can you please explain a little more? What exactly are you trying to do? What exactly is happening that you don't expect? -- Steve McIntyre, Cambridge, UK.st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Bug#958925: grub-efi: Does not sign EFI entries.
Package: grub-efi
Version: 2.04-7
Severity: important
Dear Maintainer,
The new version of GRUB, which is 2.0.4-7, I find a problem that does not sign,
or does not collect the EFI signature, that for this, I have to disable the
"Secure Boot" implementation, because it does not load even the of three.
I already tried with the Debian pendrive to install and load the GRUB, along
with the command "update-grub", but nothing, I have to disable the "Secure
Boot" to do this job, because it does not load.
In the previous version, which was 2.0.4-6, it did load perfectly, but this
other version, no, not even in dreams.
This that I give, is through the secondary disk, which is /dev/sda.
-- Package-specific info:
*** BEGIN /proc/mounts
/dev/sda2 / ext4 rw,noatime,nobarrier,errors=remount-ro 0 0
/dev/loop2 /snap/spotify/41 squashfs ro,nodev,relatime 0 0
/dev/loop1 /snap/core18/1705 squashfs ro,nodev,relatime 0 0
/dev/loop0 /snap/snapd/7264 squashfs ro,nodev,relatime 0 0
/dev/sda1 /boot/efi vfat
rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
0 0
/dev/sda4 /home ext4 rw,noatime,nobarrier 0 0
*** END /proc/mounts
*** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
terminal_input console
terminal_output console
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu
--class os $menuentry_id_option
'gnulinux-simple-8a5321fa-c430-49f8-a226-99174412a978' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2
--hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2
8a5321fa-c430-49f8-a226-99174412a978
else
search --no-floppy --fs-uuid --set=root
8a5321fa-c430-49f8-a226-99174412a978
fi
echo'Loading Linux 5.5.0-2-amd64 ...'
linux /boot/vmlinuz-5.5.0-2-amd64
root=UUID=8a5321fa-c430-49f8-a226-99174412a978 ro quiet i915.enable_psr=0
echo'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.5.0-2-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option
'gnulinux-advanced-8a5321fa-c430-49f8-a226-99174412a978' {
menuentry 'Debian GNU/Linux, with Linux 5.5.0-2-amd64' --class debian
--class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-5.5.0-2-amd64-advanced-8a5321fa-c430-49f8-a226-99174412a978' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio;
fi
insmod part_gpt
insmod ext2
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2
--hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2
8a5321fa-c430-49f8-a226-99174412a978
else
search --no-floppy --fs-uuid --set=root
8a5321fa-c430-49f8-a226-99174412a978
fi
echo'Loading Linux 5.5.0-2-amd64 ...'
linux /boot/vmlinuz-5.5.0-2-amd64
