You are not logged in.

#1 2018-05-04 13:54:49

winnetou
Member
Registered: 2018-05-04
Posts: 7

GRUB2 Secure Boot error /EndEntire error: cannot load image [Solved]

hello!

brief description of my problem:
-> when booting a custom, signed .efi (bundle, containing linux kernel + initramfs files) from grub I get this error:

/EndEntire
file path: {path}/EndEntire
error: cannot load image

what I ask the community for:
advice and ideas for further troubleshooting

my setup:
I have attached an installation log describing all steps I took for installing archlinux to the end of the post.
here I am only going to summarize the steps, that are important for my problem (as far as I can tell):

I am dual-booting windows 10 and arch, with the following drive config:

  • m2.drive with windows install and bootmgfw.efi (windows boot loader)

  • ssd with archlinux. partitioned as:

    1. EFI partition: Fat32, 512MiB

    2. lvm partition: rest of the drive; 3 logical partitions: root, /home, /usr

I already managed to configure grub to be able to chainload the windows boot loader while secure boot is enabled (and checked inside windows if it actually loaded with secure boot)
I followed the steps in the archwiki: link to Wiki
(of course I installed arch in UEFI mode)

In short:
I have installed the signed shim loader and enrolled my MOK in the interface of MokManager.efi.
I then was able to load the previously signed grubx64.efi and chainload windows as described above.
Check my grub.cfg for references on the exact menu-entries for grub.

However my problem is chainloading the custom, signed .efi bundle (containing my archlinux).

How I created that bundle .efi:
first I did all steps manually, but later found this package in the AUR which does exactly the same steps (+ creating a hook for kernel updates): https://aur.archlinux.org/packages/sbupdate-git/
I can boot this .efi with secure boot disabled, so I know that it works.
And I did verify the signature with:

sbverify --cert /CERT /file

NOW:

Somehow that .efi is loading some unsigned things (I dont want to say modules, to let all possibilities open).
I know that because:
I renamed my custom .efi bundle to grubx64.efi and had the shim chainload it. this resulted in an error saying, that the bootloader could not verify the image. Basically: Something went wrong in the trust chain and that is what that grub error means.
I want to add, that I have the nvidia drivers installed, but have them blacklisted via the corresponding blacklist entries in

usr/lib/modprobe.d/custom.conf

I am not aware of any other "proprietary" kernel modules that I have installed, that could be causing the problem.

So now I am stuck here and do not know, how to proceed.

It might be noteworthy, that I tried the following kernel boot parameter to prevent the kernel from loading any unsigned modules:

module.sig_enforce

I also tried blacklisting the nvidia modules form the kernel boot parameters, but setting those parameters did not prevent the nvidia kernel modules from loading. I am aware, that I have to include the boot parameters in the .efi file, so I did that and when booting the image

/proc/cmdline

shows the correct line I want.
But as I could not blacklist the nvidia modules from the boot parameters, I am suspicious, that there might be something going on with the boot parameters and the .efi. this is another topic though, just wanted to hint to that.

I am very greatfull for any help I can get.
One of the reasons I switched from Ubuntu to Arch was the mighty fame of the archlinux community. But I did not think that I would be experiencing this community myself that early!

THANKS to everybody!!!




My grub.cfg

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod lvm
insmod ext2
set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/VyKiZx-v0lo-cqyJ-aN9s-liyO-OnDZ-lPajrG'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/VyKiZx-v0lo-cqyJ-aN9s-liyO-OnDZ-lPajrG'  73b60da1-82c2-420a-bbaa-89b32d8a5b1f
else
  search --no-floppy --fs-uuid --set=root 73b60da1-82c2-420a-bbaa-89b32d8a5b1f
fi
    font="/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-71cff29d-d4a0-4584-adc2-b0beecb92609' {
	load_video
	set gfxpayload=keep
	insmod gzio
	insmod part_gpt
	insmod lvm
	insmod ext2
	set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'  71cff29d-d4a0-4584-adc2-b0beecb92609
	else
	  search --no-floppy --fs-uuid --set=root 71cff29d-d4a0-4584-adc2-b0beecb92609
	fi
	echo	'Loading Linux linux ...'
	linux	/boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw  quiet
	echo	'Loading initial ramdisk ...'
	initrd	/boot/intel-ucode.img /boot/initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-71cff29d-d4a0-4584-adc2-b0beecb92609' {
	menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-71cff29d-d4a0-4584-adc2-b0beecb92609' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt
		insmod lvm
		insmod ext2
		set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'  71cff29d-d4a0-4584-adc2-b0beecb92609
		else
		  search --no-floppy --fs-uuid --set=root 71cff29d-d4a0-4584-adc2-b0beecb92609
		fi
		echo	'Loading Linux linux ...'
		linux	/boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw  quiet
		echo	'Loading initial ramdisk ...'
		initrd	/boot/intel-ucode.img /boot/initramfs-linux.img
	}
	menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-71cff29d-d4a0-4584-adc2-b0beecb92609' {
		load_video
		set gfxpayload=keep
		insmod gzio
		insmod part_gpt
		insmod lvm
		insmod ext2
		set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'  71cff29d-d4a0-4584-adc2-b0beecb92609
		else
		  search --no-floppy --fs-uuid --set=root 71cff29d-d4a0-4584-adc2-b0beecb92609
		fi
		echo	'Loading Linux linux ...'
		linux	/boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw  quiet
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initramfs-linux-fallback.img
	}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/nvme0n1p2)' --class windows --class os $menuentry_id_option 'osprober-efi-0649-6156' {
	insmod part_gpt
	insmod fat
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root  0649-6156
	else
	  search --no-floppy --fs-uuid --set=root 0649-6156
	fi
	chainloader /efi/Microsoft/Boot/bootmgfw.efi
}
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.

menuentry "linux-signed" {
        insmod chain
	
	search --no-floppy --set=root --file  /efi/grub_uefi/linux-signed.efi

        echo 'Chainloading Linux linux-signed.efi ...'
        chainloader /efi/grub_uefi/linux-signed.efi
}

menuentry "Firmware setup (UEFI)" {
	fwsetup
}
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

My Archlinux installation steps:

archlinux installation steps, consolidated and specialized:
sources:
wiki.archlinux.org
LernLinux.tv youtube channel

notes on notation:
"-" genearl steps to do
"#" commands to put in (root permission not marked explicitly)
"//" tried, but failed; or omitted because not possible/important
" " general description

prerequisities:
- unplug m.2 ssd and the 3 raid drives
- plug in linux ssd
- boot to bios
- edit secure boot setting:
- other OS

//booting the insallation media with secure boot enabled
//after the error pops up:
//-> ok
//-> select Enroll Hash, choose \loader.efi, confirm
//-> select Enroll Hash and archiso, enter the archiso directory
//-> select vmlinuz.efi, confirm
//-> exit to boot devices menu
//-> reboot Arch Linux archiso x86_64 UEFI

- check if booted with secure boot
# od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

if OK following output:
    returns 1 as the final integer in a list of five integers
//not booted securely... did not work from bios

- get more verbose oputput
# bootctl status


\\ the standard set up //

    - set the keyboard layout to german keyboard
    # loadkeys de-latin1-nodeadkeys

    - check if booted in EFI mode
    # ls /sys/firmware/efi/efivars
    if booted in efi mode, this folder exists

    - check for ip-adress/network connectivity
    # ip a
    expected result: 192.168.1.42

    # ping archlinux.org -c 5

    - if no ip-adress was assigned
    # dhcpcd

    - set and check the clock
    # timedatectl set-ntp true
    # timedatectl status

    - list all drives
    # fdisk -l
    expected: /dev/sda

    - enter the gdisk utility on the drive where to install arch
    # gdisk /dev/sda

        - create gpd or dos partition table
        the following steps are for a gpd partition table with LVM and efi

        - create a gpd disk label
        # o

        - print current table
        # p
        expected result: empty

        - new partition
        # n
        first one as efi partition

        - partition number
        # 1

        - first sector
        # 2048

        - size of the partition
        # +512M

        - set type to EFI-System for grub
        # EF00

        - partition for LVM
        # n
        # default
        # default
        # default
        rest of disk

        # 8E
        set type to linux lvm

        # w
        write the changes and exit

    # fdisk -l
    expected result: table as created above

    - format EFI partition
    # mkfs.vfat -F32 /dev/sda1

    - create physical volume
    # pvcreate --dataalignment 1m /dev/sda2
      --dataalignment for ssd recommended

    - create volumegroup
    # vgcreate vg0 /dev/sda2

    - create logical partitions
    # lvcreate -L 50G vg0 -n lv_root
    size, volumegroup, name of part
    for the rest use instead -L:
    -l 100%FREE

    - create the other partitions
    # lvcreate -L 130G vg0 -n lv_usr
    # lvcreate -l 100%FREE vg0 -n lv_home

    - activate the lvm
    # modprobe dm_mod
    # vgscan
    # vgchange -ay

    - format the partitions
    # mkfs.ext4 /dev/vg0/lv_root
    # mkfs.ext4 /dev/vg0/lv_usr
    # mkfs.ext4 /dev/vg0/lv_home

    - mount the root partition
    # mount /dev/vg0/lv_root /mnt

    - create dirs and mount the other partitions
    # mkdir /mnt/usr
    # mkdir /mnt/home
    # mount /dev/vg0/lv_usr /mnt/usr
    # mount /dev/vg0/lv_home /mnt/home

    - list all mounts
    # mount
    expected result: as created above


    \\ starting the installation process //

    - check if uppermost mirror is up to the task
    # nano /etc/pacman.d/mirrorlist

    - install base package group
    # pacstrap -i /mnt base
    select default (all)
    proceed with download and install
    take note of all warnings / errors

    - create fstab file with partition list
    # genfstab -U -p /mnt >> /mnt/etc/fstab

    - edit fstab
    # nano /mnt/etc/fstab
    1. Add the discard option to the options tab of the home, usr, root filesystem. This essentially enables TRIM support for SSDs.
    2. Make /tmp a ramdisk, add this line:
    tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777  0	0
    3. Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
    4. change the passno of /usr to 0 for it being able to be mounted at boot
    (this is the last entry)

    - chroot into future install
    # arch-chroot /mnt/
    gives command promt into work in progress installation

    - set up the clock
    # ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
    # hwclock --systohc

    - edit locale.gen
    # nano /etc/locale.gen
    find your locale and erase hash in front of it
    de_AT-UTF-8 UTF-8
    and
    en_US-UTF-8 UTF-8

    - some more steps
    # echo LANG=en_US.UTF-8 >> /etc/locale.conf
    # echo LC_ALL= >> /etc/locale.conf

    - update locales
    # locale-gen

    - make the keyboard layout persistent
    # nano /etc/vconsole.conf
    add or edit first line to look like the following:
    KEYMAP=de-latin1-nodeadkeys

    - install some crucial packages
    # pacman -S grub efibootmgr dosfstools os-prober mtools linux linux-headers intel-ucode

    - edit mkinitcpio.conf
    # nano /etc/mkinitcpio.conf
    in the hooks-section:
    between block and filesystem:
    -> insert lvm2
    to the end add:
    -> usr fsck

    - configure linux kernel
    # mkinitcpio -p linux
    watch out for warnings

    - set the hostname and update hosts
    # nano /etc/hostname
    # nano /etc/hosts
    127.0.0.1 localhost
    192.168.1.42 kayranPC
    ::1             localhost ip6-localhost ip6-loopback
    ff02::1         ip6-allnodes
    ff02::2         ip6-allrouters

    # passwd XXXX
    set root password

    check first whats in there
    - mount the EFI partition
    # mkdir /boot/EFI
    # mount /dev/sda1 /boot/EFI

    - install the bootloader
    # grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=grub_uefi --recheck

    - generate grub config file
    # grub-mkconfig -o /boot/grub/grub.cfg

    - generate the swap file
    # fallocate -l 10G /swapfile
    # chmod 600 /swapfile
    # mkswap /swapfile
    # echo '/swapfile none swap defaults 0 0' | tee -a /etc/fstab

    - verify all fstab entries are ok
    # nano /etc/fstab
    b. Add the discard option to the options tab of the home and root filesystem (the one with rw,noatime,...). This essentially enables TRIM support for SSDs.
    c. Make /tmp a ramdisk:
    tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
    d. Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
    e. change the passno of /usr to 0
    (this is the last entry)


    - back to archiso shell
    # exit

    -unmount all
    # umount -a
    # swapoff -a

    # reboot


    boot into new archlnux install
    
    configure the network settings:

    - get the module name of the network card
    # lspci -v
    e1000e

    - check if it was loaded
    # dmesg | grep e1000e

    - search for interface name of network card
    #ip link
    enp0s31f6

    - set it up
    # ip link set enp0s31f6 up
    # ip link show dev enp0s31f6

    # ip a
    should return 192.168.1.42

    - install a network manager
    # pacman -S networkmanager

    - start networkmanager and autostart at boot
    # systemctl start NetworkManager
    # systemctl enable NetworkManager

    - install sudo and set it up
    # pacman -S sudo
    # visudo
    Uncomment the line saying %wheel ALL=(ALL) ALL to give members of the wheel group sudo access
    save with:
    :wq

    - add a user and add password
    # useradd -m -G wheel,storage -s /bin/bash name
    # passwd name
    //# usermod -aG GROUP Name

    #logout
    - login as simple

    # pacman -S base-devel git
    # cd /usr/local/
    # git clone https://aur.archlinux.org/aurman.git
    # curl -L -O https://aur.archlinux.org/cgit/aur.git/snapshot/aurman.tar.gz
    # tar -xvf aurman.tar.gz
    # cd aurman
    # makepkg -sic
    # cd /
    # mv /usr/local/aurman.tar.gz /usr/local/aurman
    get and install aurman AUR helper for shim-signed to be installed

    - list all mount-points
    # df -h

    - configure ntp
    # pacman -Sy ntp
    # systemctl daemon-reload
    # systemctl enable ntpd
    # systemctl start ntpd
    # systemctl status ntpd

    - install x
    # pacman -S xorg-server xorg-xinit

    - list hardware components, check what video card is detected
    #lspci

    - install nvidia drivers
    # pacman -S nvidia nvidia-utils
    
    - install a desktop
    #pacman -Syu gnome gnome-power-manager gnome-tweaks dconf dconf-editor adwaita-icon-theme firefox network-manager-applet

    accept all defaults at those installs

    - configure nvida (this has no effect, as wayland runs gnome by default, not xorg )
    # nvidia-xconfig

    - start the gdm at boot
    # systemctl enable gdm

    # shutdown

plug in all drives
let secure boot be disabled
boot into linux

check if raid can be mouned
YES it can!

    -  regenerate grub config
    # grub-mkconfig -o /boot/grub/grub.cfg
    see if windows efi is found
    found!

    - configure firefox
    log into account
    settings, UI etc

    - set nano as default editor for command like sudoedit etc
    - add those lines to /etc/environment
    # VISUAL=nano
    # EDITOR=nano

    edit pacman repositoriy list in /etc/pacman.conf to add multilib
    uncomment 2 lines for multilib
    recheck mirrorlist at /etc/pacman.d/mirrorlist
    - sync all archives
    # pacman -Syyy

    - install nvidia-setting GUI tool
    # pacman -S nvidia-settings

    - get visual studio code
    # aurman -S vidual-studio-code-bin

    - add gnome extension support
    # pacman -S chrome-gnome-shell
    and enable the extension in firefox

    install gnome extension to add suspend button in top right menu


    secure boot config
        
    # pacman -S sbsigntools
    # aurman -S shim-signed
    install needed packages
    
    # mount /dev/sda1 /boot/EFI/
    # cp /usr/share/shim-signed/shim.efi /boot/EFI/EFI/grub_uefi/BOOTX64.efi
    # cp /usr/share/shim-signed/MokManager.efi /boot/EFI/EFI/grub_uefi/
    add shimefi

    # efibootmgr
    this returns the list of bootable .efi

    # mount /dev/sda1 /boot/EFI
    - add the previously created BOOTx64.efi for shim to the efi boot options
    # efibootmgr -c -d /dev/sda -l /EFI/grub_uefi/BOOTx64.efi -L SHIM_loader
    
    # openssl req -newkey rsa:2048 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=myMachineOwnerKey/" -out MOK.crt
    # openssl x509 -outform DER -in MOK.crt -out MOK.cer
    # cp MOK.cer /boot/EFI/EFI/grub_uefi/
    # sbsign --key MOK.key --cert MOK.crt --output /boot/EFI/EFI/grub_uefi/grubx64.efi /boot/EFI/EFI/grub_uefi/grubx64.efi
    create keys and sign the boot loader
    copy key to EFI partition
    
    # reboot
    
change bios secure boot setting to secure boot Windows UEFI Mode
boot the BOOTX64.efi labelled SHIM_loader
at the prompt:
enroll key from disk
select MOK.cer
boot to grubx64.efi
worked!

try booting windows
windows can be booted in secure mode (verified in system info)

blacklist nvidia kernel modules, remove blacklisting from nouveau, that was installed by nvidia

    # nano /usr/lib/modprobe.d/nvida.conf
    comment line
    blacklist nouveau

    # nano /usr/lib/modprobe.d/custom.conf
    add 
    blacklist nvidia
    blacklist nvidia_modeset
    blacklist nvidia_drm
    blacklist nvidia_uvm



further steps to sign the linux kernel for secure boot:

a combined efi with the kernel and initramfs is needed
the following AUR package autamatically generates the signed .efi package and has a hook for kernel updates:

    # aurman -S sbupdate-git
    
    configure it:
    # nano /etc/default/sbupdate
    KEY_DIR="/root/secure-boot"
    KEYFILE="DB.key"
    CRTFILE="DB.crt"
    ESP_DIR="/boot"
    OUT_DIR=""
    SPLASH="/usr/share/systemd/bootctl/splash-arch.bmp"
    BACKUP=0
    EXTRA_SIGN=()
    CMDLINE_DEFAULT="BOOT_IMAGE=/boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw quiet"
    
    # sbupdate
    run the initalisation

    # mount /dev/sda1 /boot/EFI
    # cp /boot/linux-signed.efi /boot/EFI/EFI/grub_uefi/
    # umount /boot/EFI
    copy the .efi to the efi partition, as grub could not load the .efi from an lvm partition (which is the /boot/XXX, wheras /boot/EFI is the mount point of the efi partition)
    
    # sbverify --cert /MOK.crt /boot/EFI/EFI/grub_uefi/linux-signed.efi
    verify if the combined .efi is appropriately signed


    add the .efi to the grub menu
    add the following to /etc/grub.d/40_custom


    menuentry "linux-signed" {
        insmod chain

        search --no-floppy --set=root --file /efi/grub_uefi/linux-signed.efi

        echo 'Chainloading Linux linux-signed.efi ...'
        chainloader /efi/grub_uefi/linux-signed.efi
    }

    menuentry "Firmware setup (UEFI)" {
        fwsetup
    }

    # grub-mkconfig -o /boot/grub/grub.cfg
    generate new grub.cfg

this image on the efi partition is bootable without secure boot from grub,
booting it with secure boot gives error




TODO:

    next steps:
    redo mkinitcpio -p linux
    redo sbupdate and copy to efi part
    try the .efi

    delete /secure-boot

    set reminder in /etc/default/grub where the default comand line is:
    this has to be set in the conf for sbupdate as well, to be affective in the signed kernel
    set a hook for the grubx64.efi on the efi partition as well?

    what is with nvidia drivers, which are loaded by the kernel?
    could they be responsible for the secure boot error?
    
    workaround the bug with nvidia-drivers changing the native resolution of the boot cmd line 

    clean up boot log until no errors
    # journalctl -b

    make a copy of the bash input log

Last edited by winnetou (2018-05-14 14:40:58)

Offline

#2 2018-05-14 15:07:07

winnetou
Member
Registered: 2018-05-04
Posts: 7

Re: GRUB2 Secure Boot error /EndEntire error: cannot load image [Solved]

After messing around for a week I finally got secure boot working!

BUT:

I changed my bootloader from GRUB to rEFInd.
And, long story short, this is actually the only thing I changed!

I installed rEFInd, added custom entries for Arch (vmlinuz) and the signed.efi bundle and......
thats it.

I still do not know, why grub was unable to load the image... and I still do not know, why chainloading the signed.efi via shim directly did not work.
So still missing explanations on that.

Another thing to point out:
As I suspected correctly, the boot cmd-line arguments bundled in the signed.efi do get ignored.
I had to add my options in the custom menuentry of rEFInd.

I saw a couple of similar posts, which seemed to have different causes.
But I am pretty sure, for my case, the kernel parameters bundled within the signed.efi are not loaded.

Offline

Board footer

Powered by FluxBB