You are not logged in.
* This is written in machine translation. Please understand. *
This is the problem I am having with the two computers I have.
First, I note the minimum information about these two computers.
・MB:MSI X570-A PRO(Hereinafter written as X570)
UEFI version 7C37vHH(Latest as of 6/23/2022)
It is dual booted with Windows 10 21H1.
Signed PreLoader was using.
the other one is
・DELL Inspiron 5505 Ryzen 4700U(Hereinafter written as 5505)
UEFI version 1.7.0(Latest as of 6/23/2022)
It is dual booted with Windows 11.
Signed shim is using.
It all started about 3 days ago when 5505 could not start GRUB with some message, so I thought it was probably due to the recent shim-signed (6/20/2022) update.
This update said that EFI binaries could not be run without using SBAT, so I relied on this to reinstall GRUB.
After rebooting and enrolling the hash of grubx64.efi with MokManager, I rebooted and got the error "prohibited by secure boot policy" and went into rescue mode.
Thinking that maybe it doesn't happen on other computers, I replaced X570 to shim from PreLoader and reinstalled GRUB as well.
Then the X570 did the same thing as the 5505 and I could no longer secure boot.
So now I have disabled secure boot on both computers.
Anyone help. Thank you.
Last edited by 04tm34l (2022-06-26 10:05:34)
Offline
Is anyone else happening the same problem?
I found this and this as similar examples.
The latter suggests replacing GRUB with Systemd-boot, but I don't know what the questioner did.
In the former case, the questioner solved the problem by reverting the GRUB version, but I found something interesting in the comments below it.
This is what you need to do:
* Disable shim verification
* Include all relevant modules in the EFI binary.Side-loading has been disabled and gives you that error message you see. This has been poorly documented upstream and all distributions that do depend on secure boot + grub has just patched up this issue with a tons of scripts.
It appears that it is no longer possible to sideload modules when Secure Boot is enabled.
I don't know if this will solve the problem, but I will give it a try.
Offline
I totally understand and finally solved it!
It was still necessary to install GRUB with all the necessary modules included to start GRUB.
In this example, only the "tpm" module is loaded, so it will inevitably enter rescue mode.
By the way, I will note the successes in my case. (For my own sake too!).
grub-install --target=x86_64-efi --modules="acpi all_video boot cat chain configfile disk echo efi_gop efi_uga efifwsetup ext2 fat font gettext gfxmenu gfxterm gzio halt help linux loadenv ls normal part_gpt part_msdos reboot scsi search search_fs_file search_fs_uuid search_label tpm video video_bochs video_cirrus video_colors video_fb zstd" --efi-directory="Arbitrary path" --sbat=/usr/share/grub/sbat.csv --bootloader-id="Arbitrary name"
↑This code is an old one. See newer post.
I wrote what was already in the /boot/grub/grub.cfg insmod line and then wrote all the rest of what I needed. This was really painstaking.
So the MODULE option should be more easy for some people.
However, it is not recommended to enroll a GRUB hash in Shim, because if GRUB and the kernel do not have the proper key, a "bad shim signature" error will occur in GRUB.
So let's follow the example above regarding signatures.
Finally, I would like to share this information on the Wiki, but I don't want to bother creating a Wiki account.
Sorry for being selfish.
Could a moderator or anyone who is referring to this thread and has a Wiki account please share this information on the Wiki?
Some may have switched to Systemd-boot because of GRUB's severe updates.
Systemd-boot is more advanced and easier to use, especially on computers that have recently done away with CSM (Legacy BIOS Mode), and GRUB may now be obsolete.
However, GRUB offers the convenience of using it in any environment and unparalleled scalability.
As a GRUB user, I would be happy if this information reaches as many GRUB users as possible.
Thank you.
Last edited by 04tm34l (2022-06-26 10:34:17)
Offline
P.S.
It still shows a "prohibited by secure boot policy" error when booting because it tries to insmod by grub.cfg for compatibility, but this can be ignored.
Additionally I could shorten the MODULE option a bit.
grub-install --target=x86_64-efi --bootloader-id="Arbitrary name" --efi-directory="Arbitrary path" --sbat=/usr/share/grub/sbat.csv --no-nvram --modules="all_video boot cat chain echo efi_gop efi_uga efifwsetup ext2 fat font gettext gfxterm gzio halt help linux loadenv ls normal part_gpt part_msdos reboot search search_fs_file search_fs_uuid search_label terminal tpm video video_bochs video_cirrus video_colors video_fb zstd"
This is what happens when you include all modules that depend on the module in the line above. This is shown in /usr/lib/grub/<target>/moddep.lst.
grub-install --target=x86_64-efi --bootloader-id="Arbitrary name" --efi-directory="Arbitrary path" --sbat=/usr/share/grub/sbat.csv --no-nvram --modules="acpi all_video boot bufio cat chain crypto datetime disk echo efi_gop efi_uga efifwsetup efinet ext2 extcmd fat font fshelp gcry_crc gettext gfxterm gzio halt help linux loadenv ls mmap net normal part_gpt part_msdos priority_queue reboot relocator search search_fs_file search_fs_uuid search_label terminal tpm video video_bochs video_cirrus video_colors video_fb zstd"
Also, if --no-nvram is not included, GRUB will start without loading Shim, and a "shim_lock protocol not found" error will occur. Please make sure to add Shim to your boot order.
See here how to do it. Also, some UEFIs do not retain the contents of efibootmgr. In that case, use fallback.
Last edited by 04tm34l (2022-06-26 08:33:13)
Offline