> I can boot the UKI EFI File without Secureboot directly from USB Drive or the
> ESP, so the UKI is fine.
> With Secureboot enabled i can Boot the UKI from USB or ESP and no Problem
> arises.
>
> UKI is also totally fine, this is a GRUB Bug.
> How to debug this
>
>
--
Sent with Tuta; enjoy secure & ad-free emails:
https://tuta.com
Jan 18, 2024, 13:57 by bug-grub@gnu.org:
>
> Hello,
>
>>
>> my setup is as follows:
>> Thinkpad T540 machine with no TPM.
>>
>> ESP as FAT32 /efi
>> LUKS2 encrypted bootpartition /boot
>> LUKS2 encrypted root /
>>
>> Unified Kernel Images generated and located in root of /boot
>>
>> I deployed the SecureBoot keys with sbctl.
>> The grubx64.efi gets verified and loaded by Firmware successfully.
>> It contains embedded PGP key used to sign all the files loaded after
>> unlocking the LUKS2 boot.
>>
>> My grub-install command:
>> grub-install --target=x86_64-efi --bootloader-id=GRUB --boot-directory=/boot
>> --efi-directory=/efi --disable-shim-lock --modules="gcry_sha512 gcry_dsa
>> gcry_rsa crypto pgp luks2 part_gpt part_msdos cryptodisk pbkdf2
>> gcry_rijndael gcry_sha256 ext2" --pubkey=/boot/gpg/grub.pub
>>
>>
>> My boot.cfg:
>>
>> insmod part_gpt
>> insmod part_msdos
>> insmod all_video
>> insmod fat
>> insmod chain
>>
>> set default="0"
>>
>> # More readable font on high dpi screen, generated with
>> # sudo grub-mkfont --output=/boot/grub/fonts/DejaVuSansMono24.pf2
>> --size=24 /usr/share/fonts/TTF/DejaVuSansMono.ttf
>>
>> #for non hiDPI Screen
>> #font=unicode
>> font=DejaVuSansMono24
>>
>> if loadfont $font ; then
>> set gfxmode=auto
>> insmod gfxterm
>> set locale_dir=$prefix/locale
>> set lang=en_US
>> insmod gettext
>> fi
>> terminal_input console
>> terminal_output gfxterm
>> set timeout_style=menu
>> set timeout=3
>>
>> if [ "$grub_platform" = "efi" ]; then
>> insmod bli
>> fi
>>
>> ## set Theme
>> insmod png
>> insmod gfxmenu
>> loadfont $prefix/themes/default/terminus-12.pf2
>> loadfont $prefix/themes/default/terminus-14.pf2
>> loadfont $prefix/themes/default/terminus-16.pf2
>> loadfont $prefix/themes/default/terminus-18.pf2
>> loadfont $prefix/themes/default/ubuntu_regular_17.pf2
>> loadfont $prefix/themes/default/ubuntu_regular_20.pf2
>> set theme=$prefix/themes/default/theme-hidpi.txt
>> export theme
>>
>> #we need to set root to some partition which is not encrypted, otherwise the
>> UKI's > embedded > EFI Stub complains and fails load
>> function setESP {
>> root=""
>> search --file --no-floppy --hint hd0,gpt1 --set=root
>> /EFI/GRUB/grubx64.efi
>> if [ -z "$root" ]; then
>> root=(hd0,gpt1)
>> fi
>> }
>>
>> menuentry "Arch Linux UKI Image" {
>> setESP
>> #echo 'Loading Linux Unified Kernel Image from boot'
>> chainloader (crypto0)/arch-linux-uki.efi
>> }
>>
>> menuentry "Arch Linux Fallback UKI Image" {
>> setESP
>> #echo 'Loading Linux Fallback Unified Kernel Image from boot'
>> chainloader (crypto0)/arch-linux-uki-fallback.efi
>> }
>> All files are PGP signed and the corresponding .sig files are in place.
>> Booting without SecureBoot works smoothless.
>>
>> The machine does not has a TPM, therefore i omitted the tpm module for
>> grub-install.
>> Enabling Secureboot grubx64.efi gets loaded, i enter the passphrase and
>> /boot gets unlocked an accesible via (crypto0)
>> Theme, fonts, and additional modules get loaded and verified via PGP.
>> Only the UKI images fail to load
>> I tried:
>> to EFI Sign the UKI files with sbctl
>> to PGP Sign the UKI files
>> to EFI and after that PGP sign the UKI files
>> in all these three constellations i receive
>> error: cannot load image.
>>
>> When i dont put the sig files for the images i receive a more understandable:
>> error: bad signature.
>> So it seems grub checks signature and validates, but then later it hangs up
>> on smth?
>> Any idea why i cant load the images?
>>
>> I also tried to load a conventional initrd and linux kernel, also not
>> possible.
>> Any possibility to debug what exactly grub is trying to load and where the
>> verification process/loading process halts?
>>
>> As the Firmware start grub just fine, this seems a problem of grubs
>> loading/verification for me.
>> With grub 2.04 all worked just fine (LUKS1 boot part) with SecureBoot
>> enabled.
>>
>> Looking for any advise
>>
>> Rodolfo
>>
>> --
>> Sent with Tuta; enjoy secure & ad-free emails:
>> https://tuta.com
>>
