Hello,
> > my setup is as follows: > Thinkpad T540 machine with no TPM. > > ESP as FAT32 /efi > LUKS2 encrypted bootpartition /boot > LUKS2 encrypted root / > > Unified Kernel Images generated and located in root of /boot > > I deployed the SecureBoot keys with sbctl. > The grubx64.efi gets verified and loaded by Firmware successfully. > It contains embedded PGP key used to sign all the files loaded after > unlocking the LUKS2 boot. > > My grub-install command: > grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot > --efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa > gcry_rsa crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2 gcry_rijndael > gcry_sha256 ext2" --pubkey=/boot/gpg/grub.pub > > > My boot.cfg: > > insmod part_gpt > insmod part_msdos > insmod all_video > insmod fat > insmod chain > > set default="0" > > # More readable font on high dpi screen, generated with > # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2 --size=24 > /usr/share/fonts/TTF/DejaVuSansMono.ttf > > #for non hiDPI Screen > #font=unicode > font=DejaVuSansMono24 > > if loadfont $font ; then > set gfxmode=auto > insmod gfxterm > set locale_dir=$prefix/locale > set lang=en_US > insmod gettext > fi > terminal_input console > terminal_output gfxterm > set timeout_style=menu > set timeout=3 > > if [ "$grub_platform" = "efi" ]; then > insmod bli > fi > > ## set Theme > insmod png > insmod gfxmenu > loadfont $prefix/themes/default/terminus-12.pf2 > loadfont $prefix/themes/default/terminus-14.pf2 > loadfont $prefix/themes/default/terminus-16.pf2 > loadfont $prefix/themes/default/terminus-18.pf2 > loadfont $prefix/themes/default/ubuntu_regular_17.pf2 > loadfont $prefix/themes/default/ubuntu_regular_20.pf2 > set theme=$prefix/themes/default/theme-hidpi.txt > export theme > > #we need to set root to some partition which is not encrypted, otherwise the > UKI's > embedded > EFI Stub complains and fails load > function setESP { > root="" > search --file --no-floppy --hint hd0,gpt1 --set=root > /EFI/GRUB/grubx64.efi > if [ -z "$root" ]; then > root=(hd0,gpt1) > fi > } > > menuentry "Arch Linux UKI Image" { > setESP > #echo 'Loading Linux Unified Kernel Image from boot' > chainloader (crypto0)/arch-linux-uki.efi > } > > menuentry "Arch Linux Fallback UKI Image" { > setESP > #echo 'Loading Linux Fallback Unified Kernel Image from boot' > chainloader (crypto0)/arch-linux-uki-fallback.efi > } > All files are PGP signed and the corresponding .sig files are in place. > Booting without SecureBoot works smoothless. > > The machine does not has a TPM, therefore i omitted the tpm module for > grub-install. > Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and /boot > gets unlocked an accesible via (crypto0) > Theme, fonts, and additional modules get loaded and verified via PGP. > Only the UKI images fail to load > I tried: > to EFI Sign the UKI files with sbctl > to PGP Sign the UKI files > to EFI and after that PGP sign the UKI files > in all these three constellations i receive > error: cannot load image. > > When i dont put the sig files for the images i receive a more understandable: > error: bad signature. > So it seems grub checks signature and validates, but then later it hangs up > on smth? > Any idea why i cant load the images? > > I also tried to load a conventional initrd and linux kernel, also not > possible. > Any possibility to debug what exactly grub is trying to load and where the > verification process/loading process halts? > > As the Firmware start grub just fine, this seems a problem of grubs > loading/verification for me. > With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot enabled. > > Looking for any advise > > Rodolfo > > -- > Sent with Tuta; enjoy secure & ad-free emails: > https://tuta.com >