secure boot with grub 2.06.r261.g2f4430cc0-1

Sapiens · 2022-06-10 14:26:51

I wanted to setup secure boot with the current grub version 2.06.r261.g2f4430cc0-1.

I receive an error like in this bug report:

error: prohibited by secure boot policy
enter entering rescue mode
grub rescue>

You need the signed 15.6 shim, it's currently working as expected.

I do not understand what I need to do to make this work. Were would I even get a signed shim 15.6 if not from the AUR?

Last edited by Sapiens (2023-01-07 16:45:37)

philo · 2022-06-11 13:31:51

No doubt you have shim 15.6 installed?

Don't you find any help in this wiki:

https://wiki.archlinux.org/title/Unifie … ecure_Boot

Sapiens · 2022-06-11 17:08:03

Thank you for taking the time to answer. Surely I have not installed shim in version 15.6, for secure boot you need the signed shim, as described on the wiki page you linked, which is available in the AUR, in version shim-signed 15.4+fedora+5-2.. I visited, what seems to be, the official site for shim on Github, but I was unable to find out how to build the project and if it is even signed then. Shim is only a kind of bootloader and as I understand it needs a signature with a Microsoft certificate on its binaries for the UEFI to accept it with the standard Microsoft keys it comes with.

Last edited by Sapiens (2022-06-11 17:11:31)

philo · 2022-06-12 11:57:30

For what it worth, somebody claims to hae found an answer:

https://bbs.archlinux.org/viewtopic.php?id=276417

EDIT - For systemd-boot, see:

https://wiki.archlinux.org/title/systemd-boot

EDIT 2 - Although it seems to contain a number of awkward hassles, the wiki I mentioned in post #2 is still the best place to learn how to set up Secure Boot.

EDIT 3- The shim-signed in AUR, wich is based on a Fedora package is OK to use. The wiki mentions it. Worth a try.
An official signed shim is offered by some other distros but not yet by Arch despite many requests.
The bug report you refer to in your post #1 is closed . There is no bug.

Last edited by philo (2022-06-13 12:56:22)

dietzi96 · 2022-07-01 15:38:03

I ran into similar problems and managed to solve them with this thread: https://bbs.archlinux.org/viewtopic.php?id=277474

In my case grub complained about a security violation, because - other than stated in the Secure Boot wiki entry - not only the tpm grub module has to be included on installation, but all ones used. So I used

grub-install --target=x86_64-efi --bootloader-id="Arbitrary name" --efi-directory="Arbitrary path" --sbat=/usr/share/grub/sbat.csv --no-nvram --modules="acpi all_video boot bufio cat chain crypto datetime disk echo efi_gop efi_uga efifwsetup efinet ext2 extcmd fat font fshelp gcry_crc gettext gfxterm gzio halt help linux loadenv ls mmap net normal part_gpt part_msdos priority_queue reboot relocator search search_fs_file search_fs_uuid search_label terminal tpm video video_bochs video_cirrus video_colors video_fb zstd"

and it worked.

Arch Linux

#1 2022-06-10 14:26:51

secure boot with grub 2.06.r261.g2f4430cc0-1

#2 2022-06-11 13:31:51

Re: secure boot with grub 2.06.r261.g2f4430cc0-1

#3 2022-06-11 17:08:03

Re: secure boot with grub 2.06.r261.g2f4430cc0-1

#4 2022-06-12 11:57:30

Re: secure boot with grub 2.06.r261.g2f4430cc0-1

#5 2022-07-01 15:38:03

Re: secure boot with grub 2.06.r261.g2f4430cc0-1

Board footer