You are not logged in.
- Topics: Active | Unanswered
#1 2018-05-04 13:54:49
- winnetou
- Member
- Registered: 2018-05-04
- Posts: 7
GRUB2 Secure Boot error /EndEntire error: cannot load image [Solved]
hello!
brief description of my problem:
-> when booting a custom, signed .efi (bundle, containing linux kernel + initramfs files) from grub I get this error:
/EndEntire
file path: {path}/EndEntire
error: cannot load imagewhat I ask the community for:
advice and ideas for further troubleshooting
my setup:
I have attached an installation log describing all steps I took for installing archlinux to the end of the post.
here I am only going to summarize the steps, that are important for my problem (as far as I can tell):
I am dual-booting windows 10 and arch, with the following drive config:
m2.drive with windows install and bootmgfw.efi (windows boot loader)
ssd with archlinux. partitioned as:
EFI partition: Fat32, 512MiB
lvm partition: rest of the drive; 3 logical partitions: root, /home, /usr
I already managed to configure grub to be able to chainload the windows boot loader while secure boot is enabled (and checked inside windows if it actually loaded with secure boot)
I followed the steps in the archwiki: link to Wiki
(of course I installed arch in UEFI mode)
In short:
I have installed the signed shim loader and enrolled my MOK in the interface of MokManager.efi.
I then was able to load the previously signed grubx64.efi and chainload windows as described above.
Check my grub.cfg for references on the exact menu-entries for grub.
However my problem is chainloading the custom, signed .efi bundle (containing my archlinux).
How I created that bundle .efi:
first I did all steps manually, but later found this package in the AUR which does exactly the same steps (+ creating a hook for kernel updates): https://aur.archlinux.org/packages/sbupdate-git/
I can boot this .efi with secure boot disabled, so I know that it works.
And I did verify the signature with:
sbverify --cert /CERT /fileNOW:
Somehow that .efi is loading some unsigned things (I dont want to say modules, to let all possibilities open).
I know that because:
I renamed my custom .efi bundle to grubx64.efi and had the shim chainload it. this resulted in an error saying, that the bootloader could not verify the image. Basically: Something went wrong in the trust chain and that is what that grub error means.
I want to add, that I have the nvidia drivers installed, but have them blacklisted via the corresponding blacklist entries in
usr/lib/modprobe.d/custom.confI am not aware of any other "proprietary" kernel modules that I have installed, that could be causing the problem.
So now I am stuck here and do not know, how to proceed.
It might be noteworthy, that I tried the following kernel boot parameter to prevent the kernel from loading any unsigned modules:
module.sig_enforceI also tried blacklisting the nvidia modules form the kernel boot parameters, but setting those parameters did not prevent the nvidia kernel modules from loading. I am aware, that I have to include the boot parameters in the .efi file, so I did that and when booting the image
/proc/cmdline shows the correct line I want.
But as I could not blacklist the nvidia modules from the boot parameters, I am suspicious, that there might be something going on with the boot parameters and the .efi. this is another topic though, just wanted to hint to that.
I am very greatfull for any help I can get.
One of the reasons I switched from Ubuntu to Arch was the mighty fame of the archlinux community. But I did not think that I would be experiencing this community myself that early!
THANKS to everybody!!!
My grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
insmod part_gpt
insmod part_msdos
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod lvm
insmod ext2
set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/VyKiZx-v0lo-cqyJ-aN9s-liyO-OnDZ-lPajrG'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/VyKiZx-v0lo-cqyJ-aN9s-liyO-OnDZ-lPajrG' 73b60da1-82c2-420a-bbaa-89b32d8a5b1f
else
search --no-floppy --fs-uuid --set=root 73b60da1-82c2-420a-bbaa-89b32d8a5b1f
fi
font="/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_US
insmod gettext
fi
terminal_input console
terminal_output gfxterm
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-71cff29d-d4a0-4584-adc2-b0beecb92609' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod lvm
insmod ext2
set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s' 71cff29d-d4a0-4584-adc2-b0beecb92609
else
search --no-floppy --fs-uuid --set=root 71cff29d-d4a0-4584-adc2-b0beecb92609
fi
echo 'Loading Linux linux ...'
linux /boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw quiet
echo 'Loading initial ramdisk ...'
initrd /boot/intel-ucode.img /boot/initramfs-linux.img
}
submenu 'Advanced options for Arch Linux' $menuentry_id_option 'gnulinux-advanced-71cff29d-d4a0-4584-adc2-b0beecb92609' {
menuentry 'Arch Linux, with Linux linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-advanced-71cff29d-d4a0-4584-adc2-b0beecb92609' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod lvm
insmod ext2
set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s' 71cff29d-d4a0-4584-adc2-b0beecb92609
else
search --no-floppy --fs-uuid --set=root 71cff29d-d4a0-4584-adc2-b0beecb92609
fi
echo 'Loading Linux linux ...'
linux /boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw quiet
echo 'Loading initial ramdisk ...'
initrd /boot/intel-ucode.img /boot/initramfs-linux.img
}
menuentry 'Arch Linux, with Linux linux (fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-linux-fallback-71cff29d-d4a0-4584-adc2-b0beecb92609' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod lvm
insmod ext2
set root='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='lvmid/efa59n-Za7F-Y3KY-MJP1-xJqc-a8m3-IXI8Rx/HDVtYt-X4fN-oe8k-rxfc-xgG3-ct23-uGTH3s' 71cff29d-d4a0-4584-adc2-b0beecb92609
else
search --no-floppy --fs-uuid --set=root 71cff29d-d4a0-4584-adc2-b0beecb92609
fi
echo 'Loading Linux linux ...'
linux /boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initramfs-linux-fallback.img
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/nvme0n1p2)' --class windows --class os $menuentry_id_option 'osprober-efi-0649-6156' {
insmod part_gpt
insmod fat
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root 0649-6156
else
search --no-floppy --fs-uuid --set=root 0649-6156
fi
chainloader /efi/Microsoft/Boot/bootmgfw.efi
}
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
menuentry "linux-signed" {
insmod chain
search --no-floppy --set=root --file /efi/grub_uefi/linux-signed.efi
echo 'Chainloading Linux linux-signed.efi ...'
chainloader /efi/grub_uefi/linux-signed.efi
}
menuentry "Firmware setup (UEFI)" {
fwsetup
}
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###My Archlinux installation steps:
archlinux installation steps, consolidated and specialized:
sources:
wiki.archlinux.org
LernLinux.tv youtube channel
notes on notation:
"-" genearl steps to do
"#" commands to put in (root permission not marked explicitly)
"//" tried, but failed; or omitted because not possible/important
" " general description
prerequisities:
- unplug m.2 ssd and the 3 raid drives
- plug in linux ssd
- boot to bios
- edit secure boot setting:
- other OS
//booting the insallation media with secure boot enabled
//after the error pops up:
//-> ok
//-> select Enroll Hash, choose \loader.efi, confirm
//-> select Enroll Hash and archiso, enter the archiso directory
//-> select vmlinuz.efi, confirm
//-> exit to boot devices menu
//-> reboot Arch Linux archiso x86_64 UEFI
- check if booted with secure boot
# od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
if OK following output:
returns 1 as the final integer in a list of five integers
//not booted securely... did not work from bios
- get more verbose oputput
# bootctl status
\\ the standard set up //
- set the keyboard layout to german keyboard
# loadkeys de-latin1-nodeadkeys
- check if booted in EFI mode
# ls /sys/firmware/efi/efivars
if booted in efi mode, this folder exists
- check for ip-adress/network connectivity
# ip a
expected result: 192.168.1.42
# ping archlinux.org -c 5
- if no ip-adress was assigned
# dhcpcd
- set and check the clock
# timedatectl set-ntp true
# timedatectl status
- list all drives
# fdisk -l
expected: /dev/sda
- enter the gdisk utility on the drive where to install arch
# gdisk /dev/sda
- create gpd or dos partition table
the following steps are for a gpd partition table with LVM and efi
- create a gpd disk label
# o
- print current table
# p
expected result: empty
- new partition
# n
first one as efi partition
- partition number
# 1
- first sector
# 2048
- size of the partition
# +512M
- set type to EFI-System for grub
# EF00
- partition for LVM
# n
# default
# default
# default
rest of disk
# 8E
set type to linux lvm
# w
write the changes and exit
# fdisk -l
expected result: table as created above
- format EFI partition
# mkfs.vfat -F32 /dev/sda1
- create physical volume
# pvcreate --dataalignment 1m /dev/sda2
--dataalignment for ssd recommended
- create volumegroup
# vgcreate vg0 /dev/sda2
- create logical partitions
# lvcreate -L 50G vg0 -n lv_root
size, volumegroup, name of part
for the rest use instead -L:
-l 100%FREE
- create the other partitions
# lvcreate -L 130G vg0 -n lv_usr
# lvcreate -l 100%FREE vg0 -n lv_home
- activate the lvm
# modprobe dm_mod
# vgscan
# vgchange -ay
- format the partitions
# mkfs.ext4 /dev/vg0/lv_root
# mkfs.ext4 /dev/vg0/lv_usr
# mkfs.ext4 /dev/vg0/lv_home
- mount the root partition
# mount /dev/vg0/lv_root /mnt
- create dirs and mount the other partitions
# mkdir /mnt/usr
# mkdir /mnt/home
# mount /dev/vg0/lv_usr /mnt/usr
# mount /dev/vg0/lv_home /mnt/home
- list all mounts
# mount
expected result: as created above
\\ starting the installation process //
- check if uppermost mirror is up to the task
# nano /etc/pacman.d/mirrorlist
- install base package group
# pacstrap -i /mnt base
select default (all)
proceed with download and install
take note of all warnings / errors
- create fstab file with partition list
# genfstab -U -p /mnt >> /mnt/etc/fstab
- edit fstab
# nano /mnt/etc/fstab
1. Add the discard option to the options tab of the home, usr, root filesystem. This essentially enables TRIM support for SSDs.
2. Make /tmp a ramdisk, add this line:
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
3. Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
4. change the passno of /usr to 0 for it being able to be mounted at boot
(this is the last entry)
- chroot into future install
# arch-chroot /mnt/
gives command promt into work in progress installation
- set up the clock
# ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
# hwclock --systohc
- edit locale.gen
# nano /etc/locale.gen
find your locale and erase hash in front of it
de_AT-UTF-8 UTF-8
and
en_US-UTF-8 UTF-8
- some more steps
# echo LANG=en_US.UTF-8 >> /etc/locale.conf
# echo LC_ALL= >> /etc/locale.conf
- update locales
# locale-gen
- make the keyboard layout persistent
# nano /etc/vconsole.conf
add or edit first line to look like the following:
KEYMAP=de-latin1-nodeadkeys
- install some crucial packages
# pacman -S grub efibootmgr dosfstools os-prober mtools linux linux-headers intel-ucode
- edit mkinitcpio.conf
# nano /etc/mkinitcpio.conf
in the hooks-section:
between block and filesystem:
-> insert lvm2
to the end add:
-> usr fsck
- configure linux kernel
# mkinitcpio -p linux
watch out for warnings
- set the hostname and update hosts
# nano /etc/hostname
# nano /etc/hosts
127.0.0.1 localhost
192.168.1.42 kayranPC
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# passwd XXXX
set root password
check first whats in there
- mount the EFI partition
# mkdir /boot/EFI
# mount /dev/sda1 /boot/EFI
- install the bootloader
# grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=grub_uefi --recheck
- generate grub config file
# grub-mkconfig -o /boot/grub/grub.cfg
- generate the swap file
# fallocate -l 10G /swapfile
# chmod 600 /swapfile
# mkswap /swapfile
# echo '/swapfile none swap defaults 0 0' | tee -a /etc/fstab
- verify all fstab entries are ok
# nano /etc/fstab
b. Add the discard option to the options tab of the home and root filesystem (the one with rw,noatime,...). This essentially enables TRIM support for SSDs.
c. Make /tmp a ramdisk:
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
d. Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
e. change the passno of /usr to 0
(this is the last entry)
- back to archiso shell
# exit
-unmount all
# umount -a
# swapoff -a
# reboot
boot into new archlnux install
configure the network settings:
- get the module name of the network card
# lspci -v
e1000e
- check if it was loaded
# dmesg | grep e1000e
- search for interface name of network card
#ip link
enp0s31f6
- set it up
# ip link set enp0s31f6 up
# ip link show dev enp0s31f6
# ip a
should return 192.168.1.42
- install a network manager
# pacman -S networkmanager
- start networkmanager and autostart at boot
# systemctl start NetworkManager
# systemctl enable NetworkManager
- install sudo and set it up
# pacman -S sudo
# visudo
Uncomment the line saying %wheel ALL=(ALL) ALL to give members of the wheel group sudo access
save with:
:wq
- add a user and add password
# useradd -m -G wheel,storage -s /bin/bash name
# passwd name
//# usermod -aG GROUP Name
#logout
- login as simple
# pacman -S base-devel git
# cd /usr/local/
# git clone https://aur.archlinux.org/aurman.git
# curl -L -O https://aur.archlinux.org/cgit/aur.git/snapshot/aurman.tar.gz
# tar -xvf aurman.tar.gz
# cd aurman
# makepkg -sic
# cd /
# mv /usr/local/aurman.tar.gz /usr/local/aurman
get and install aurman AUR helper for shim-signed to be installed
- list all mount-points
# df -h
- configure ntp
# pacman -Sy ntp
# systemctl daemon-reload
# systemctl enable ntpd
# systemctl start ntpd
# systemctl status ntpd
- install x
# pacman -S xorg-server xorg-xinit
- list hardware components, check what video card is detected
#lspci
- install nvidia drivers
# pacman -S nvidia nvidia-utils
- install a desktop
#pacman -Syu gnome gnome-power-manager gnome-tweaks dconf dconf-editor adwaita-icon-theme firefox network-manager-applet
accept all defaults at those installs
- configure nvida (this has no effect, as wayland runs gnome by default, not xorg )
# nvidia-xconfig
- start the gdm at boot
# systemctl enable gdm
# shutdown
plug in all drives
let secure boot be disabled
boot into linux
check if raid can be mouned
YES it can!
- regenerate grub config
# grub-mkconfig -o /boot/grub/grub.cfg
see if windows efi is found
found!
- configure firefox
log into account
settings, UI etc
- set nano as default editor for command like sudoedit etc
- add those lines to /etc/environment
# VISUAL=nano
# EDITOR=nano
edit pacman repositoriy list in /etc/pacman.conf to add multilib
uncomment 2 lines for multilib
recheck mirrorlist at /etc/pacman.d/mirrorlist
- sync all archives
# pacman -Syyy
- install nvidia-setting GUI tool
# pacman -S nvidia-settings
- get visual studio code
# aurman -S vidual-studio-code-bin
- add gnome extension support
# pacman -S chrome-gnome-shell
and enable the extension in firefox
install gnome extension to add suspend button in top right menu
secure boot config
# pacman -S sbsigntools
# aurman -S shim-signed
install needed packages
# mount /dev/sda1 /boot/EFI/
# cp /usr/share/shim-signed/shim.efi /boot/EFI/EFI/grub_uefi/BOOTX64.efi
# cp /usr/share/shim-signed/MokManager.efi /boot/EFI/EFI/grub_uefi/
add shimefi
# efibootmgr
this returns the list of bootable .efi
# mount /dev/sda1 /boot/EFI
- add the previously created BOOTx64.efi for shim to the efi boot options
# efibootmgr -c -d /dev/sda -l /EFI/grub_uefi/BOOTx64.efi -L SHIM_loader
# openssl req -newkey rsa:2048 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=myMachineOwnerKey/" -out MOK.crt
# openssl x509 -outform DER -in MOK.crt -out MOK.cer
# cp MOK.cer /boot/EFI/EFI/grub_uefi/
# sbsign --key MOK.key --cert MOK.crt --output /boot/EFI/EFI/grub_uefi/grubx64.efi /boot/EFI/EFI/grub_uefi/grubx64.efi
create keys and sign the boot loader
copy key to EFI partition
# reboot
change bios secure boot setting to secure boot Windows UEFI Mode
boot the BOOTX64.efi labelled SHIM_loader
at the prompt:
enroll key from disk
select MOK.cer
boot to grubx64.efi
worked!
try booting windows
windows can be booted in secure mode (verified in system info)
blacklist nvidia kernel modules, remove blacklisting from nouveau, that was installed by nvidia
# nano /usr/lib/modprobe.d/nvida.conf
comment line
blacklist nouveau
# nano /usr/lib/modprobe.d/custom.conf
add
blacklist nvidia
blacklist nvidia_modeset
blacklist nvidia_drm
blacklist nvidia_uvm
further steps to sign the linux kernel for secure boot:
a combined efi with the kernel and initramfs is needed
the following AUR package autamatically generates the signed .efi package and has a hook for kernel updates:
# aurman -S sbupdate-git
configure it:
# nano /etc/default/sbupdate
KEY_DIR="/root/secure-boot"
KEYFILE="DB.key"
CRTFILE="DB.crt"
ESP_DIR="/boot"
OUT_DIR=""
SPLASH="/usr/share/systemd/bootctl/splash-arch.bmp"
BACKUP=0
EXTRA_SIGN=()
CMDLINE_DEFAULT="BOOT_IMAGE=/boot/vmlinuz-linux root=/dev/mapper/vg0-lv_root rw quiet"
# sbupdate
run the initalisation
# mount /dev/sda1 /boot/EFI
# cp /boot/linux-signed.efi /boot/EFI/EFI/grub_uefi/
# umount /boot/EFI
copy the .efi to the efi partition, as grub could not load the .efi from an lvm partition (which is the /boot/XXX, wheras /boot/EFI is the mount point of the efi partition)
# sbverify --cert /MOK.crt /boot/EFI/EFI/grub_uefi/linux-signed.efi
verify if the combined .efi is appropriately signed
add the .efi to the grub menu
add the following to /etc/grub.d/40_custom
menuentry "linux-signed" {
insmod chain
search --no-floppy --set=root --file /efi/grub_uefi/linux-signed.efi
echo 'Chainloading Linux linux-signed.efi ...'
chainloader /efi/grub_uefi/linux-signed.efi
}
menuentry "Firmware setup (UEFI)" {
fwsetup
}
# grub-mkconfig -o /boot/grub/grub.cfg
generate new grub.cfg
this image on the efi partition is bootable without secure boot from grub,
booting it with secure boot gives error
TODO:
next steps:
redo mkinitcpio -p linux
redo sbupdate and copy to efi part
try the .efi
delete /secure-boot
set reminder in /etc/default/grub where the default comand line is:
this has to be set in the conf for sbupdate as well, to be affective in the signed kernel
set a hook for the grubx64.efi on the efi partition as well?
what is with nvidia drivers, which are loaded by the kernel?
could they be responsible for the secure boot error?
workaround the bug with nvidia-drivers changing the native resolution of the boot cmd line
clean up boot log until no errors
# journalctl -b
make a copy of the bash input logLast edited by winnetou (2018-05-14 14:40:58)
Offline
#2 2018-05-14 15:07:07
- winnetou
- Member
- Registered: 2018-05-04
- Posts: 7
Re: GRUB2 Secure Boot error /EndEntire error: cannot load image [Solved]
After messing around for a week I finally got secure boot working!
BUT:
I changed my bootloader from GRUB to rEFInd.
And, long story short, this is actually the only thing I changed!
I installed rEFInd, added custom entries for Arch (vmlinuz) and the signed.efi bundle and......
thats it.
I still do not know, why grub was unable to load the image... and I still do not know, why chainloading the signed.efi via shim directly did not work.
So still missing explanations on that.
Another thing to point out:
As I suspected correctly, the boot cmd-line arguments bundled in the signed.efi do get ignored.
I had to add my options in the custom menuentry of rEFInd.
I saw a couple of similar posts, which seemed to have different causes.
But I am pretty sure, for my case, the kernel parameters bundled within the signed.efi are not loaded.
Offline
#3 2025-01-05 06:30:02
- ThinuXunihT
- Member
- Registered: 2025-01-05
- Posts: 1
Re: GRUB2 Secure Boot error /EndEntire error: cannot load image [Solved]
Hi,
I tried these things, and others, for the same problem on Ubuntu Mint (but really the same trouble guys).
So, I went back to posit is there too. 
By the way, installing rEFInd didn't solved mine.
Basically, I replaced
/boot/efi/EFI/Microsoft/Boot/bootmgfw.efiwith an older version of bootmgfw.efi file.
Details there : GRUB Windows not booting
SOLVED
Last edited by ThinuXunihT (2025-01-05 06:32:25)
Offline