You are not logged in.

#1 2022-12-15 23:25:27

espritlibre
Member
Registered: 2022-12-15
Posts: 13

[SOLVED] prohibited by secure boot policy after grub update

this is my first post on this forum, so please bear with me.

since grub updated a couple weeks back, i get this error "prohibited by secure boot policy" the machine still boots up fine but i have a HiDPi screen and hybrid graphics and the grub menu is tiny. "GRUB_GFXMODE=1280x1024x32" doesnt apply when secure boot is enabled, but it does when secure boot is disabled.
after grubs update i ran grub-install and grub-mkconfig like suggested in the update log.

sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab lssal luks lvm memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep smbios squash4 test true video videoinfo xfs zfs zfscrypt zfsinfo cpuid play tpm cryptodisk gcry_md5 gcry_rfc2268 gcry_sha256 gcry_sha512" --sbat /usr/share/grub/sbat.csv
sudo sbsign --key /etc/MOK/MOK.key --cert /etc/MOK/MOK.crt --output /efi/EFI/GRUB/grubx64.efi /efi/EFI/GRUB/grubx64.efi
sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sudo cp /efi/EFI/GRUB/grubx64.efi /boot/grubx64.efi
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo efibootmgr --unicode --disk /dev/nvme0n1p1 --create --label "Shim" --loader /EFI/GRUB/BOOTx64.efi

this setup was working fine until the upgrade, i'm clearly missing something here. my troubleshoot attempts lead to nothing. any help is appreciated.


cat /etc/default/grub

# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="ibt=off net.ifnames=0 lsm=landlock,yama,apparmor,integrity,bpf ipv6.disable=1 loglevel=3"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=4f1ca192-c9f6-4d00-8ce7-a9615f3b1635:cryptlvm cryptkey=rootfs:/root/cryptlvm.keyfile"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=1280x1024x32

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-blue/black"
GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
GRUB_BACKGROUND="/boot/grub/themes/background.png"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false

Last edited by espritlibre (2023-01-19 22:01:33)

Offline

#2 2022-12-16 08:43:25

lunaryorn
Member
Registered: 2021-03-27
Posts: 20
Website

Re: [SOLVED] prohibited by secure boot policy after grub update

The message indicates that grub tries to load an extra module, which isn't signed.  By your symptoms, it's probably a video-related module.   I presume you either need to sign all grub modules, or you need to include the relevant module in your grub-install call.

That said, I find your setup commands a bit strange. It looks as if you're signing the grub binary twice, first with sbsign (line 2), presumably for shim, and then again with sbctl (line 3), as if you were using your own secure boot keys.   And then you're copying the signed EFI binary to "/boot"?  Why's that?

And generally, unless you have a very specific reason for using Grub, I'd recommend to use systemd-boot instead.  It's much simpler to set up and configure; in particular there are no modules, but only a single EFI binary, which is much easier to handle under secure boot.

Online

#3 2022-12-16 08:45:03

seth
Member
Registered: 2012-09-03
Posts: 35,051

Re: [SOLVED] prohibited by secure boot policy after grub update

Please use code tags, not quote tags for file contents and shell IO

GRUB_ENABLE_CRYPTODISK=y

https://bbs.archlinux.org/viewtopic.php … 1#p2073901

Welcome to the forum.

Offline

#4 2023-01-18 06:42:38

dikei
Member
Registered: 2010-12-08
Posts: 16

Re: [SOLVED] prohibited by secure boot policy after grub update

This error is because Grub now forbids the loading of unsigned font files when running under Secure boot.
https://gitlab.com/git-mirrors/grub/-/c … 8617e1c9a5

As a result, it will show the error

prohibited by secure boot policy

when trying to load

/boot/grub/fonts/unicode.pf2
#or whatever font you're using

Offline

#5 2023-01-18 16:28:45

espritlibre
Member
Registered: 2022-12-15
Posts: 13

Re: [SOLVED] prohibited by secure boot policy after grub update

thanks for pointing this out! i tried to sign unicode.pf2 with sbctl but i get an error

$ sudo sbctl sign -s /boot/grub/fonts/unicode.pf2                         [1]
/boot/grub/fonts/unicode.pf2: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x4946

how to get this working?

Offline

#6 2023-01-18 23:54:27

dikei
Member
Registered: 2010-12-08
Posts: 16

Re: [SOLVED] prohibited by secure boot policy after grub update

I haven't figured it out yet.

Offline

#7 2023-01-19 05:46:41

dikei
Member
Registered: 2010-12-08
Posts: 16

Re: [SOLVED] prohibited by secure boot policy after grub update

espritlibre wrote:

thanks for pointing this out! i tried to sign unicode.pf2 with sbctl but i get an error

$ sudo sbctl sign -s /boot/grub/fonts/unicode.pf2                         [1]
/boot/grub/fonts/unicode.pf2: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x4946

how to get this working?

Basically sbctl only supports signing of PE binary, to sign other files you need to use GnuPG, basically:

  • Generate a GnuPG keypair

  • Embedded the public key into the grub EFi image

  • Sign the font file with GnuPG to get a detached signature file

    /boot/grub/fonts/unicode.pf2
    /boot/grub/fonts/unicode.pf2.sig

Read more here: https://casualhacking.io/blog/2020/5/24 … -a-yubikey

That's way too much work for me for little benefits, so I've switched to systemd-boot.

Offline

#8 2023-01-19 22:00:46

espritlibre
Member
Registered: 2022-12-15
Posts: 13

Re: [SOLVED] prohibited by secure boot policy after grub update

i've built grub without the commit you mentioned. this fixed my issue with the tiny font. for anyone experiencing the same issue you can follow the ArchWiki to create a patch.

i don't want to add more complexity with additional keys and signing... probably need to switch to systemd-boot in the near future. how was/is your experience with it?

[marking this thread as solved]

EDIT:
thanks to everybody trying to help

Last edited by espritlibre (2023-01-19 22:03:25)

Offline

#9 2023-01-20 06:38:30

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 6,796
Website

Re: [SOLVED] prohibited by secure boot policy after grub update

Unified kernel images are even simpler than systemd-boot. I put mine at $ESP/EFI/Boot/bootx64.efi and so do without the need for a specific NVRAM entry as well.

Offline

#10 2023-01-20 07:32:09

d.ALT
Member
Registered: 2019-05-10
Posts: 539

Re: [SOLVED] prohibited by secure boot policy after grub update

Head_on_a_Stick wrote:

without the need for a specific NVRAM entry as well.

Hey Head_on_a_Stick, how? Are you single-booting? How does your machine know where to look for the Unified Kernel Image executable?

WIKI wrote:

2.3    Directly from UEFI

efibootmgr can be used to create a UEFI boot entry for the .efi file


(https://wiki.archlinux.org/title/Unifie … _from_UEFI)


<49,17,III,I>    Fama di loro il mondo esser non lassa;
<50,17,III,I>    misericordia e giustizia li sdegna:
<51,17,III,I>    non ragioniam di lor, ma guarda e passa.

Offline

#11 2023-01-20 07:42:26

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 6,796
Website

Re: [SOLVED] prohibited by secure boot policy after grub update

Just single booting at the moment:

$ doas bootctl --no-p
System:
      Firmware: UEFI 2.70 (Lenovo 0.4368)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Boot into FW: supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Support Type #1 sort-key field
               ✗ Support @saved pseudo-entry
               ✗ Support Type #1 devicetree field
               ✓ Boot loader sets ESP information
         Stub: systemd-stub 252.4-2-arch
     Features: ✓ Stub sets ESP information
               ✓ Picks up credentials from boot partition
               ✓ Picks up system extension images from boot partition
               ✓ Measures kernel+command line+sysexts
          ESP: /dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df
         File: └─/EFI/BOOT/BOOTX64.EFI

Random Seed:
 Passed to OS: no
 System Token: set
       Exists: no

Available Boot Loaders on ESP:
          ESP: /efi (/dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df)
         File: └─/EFI/BOOT/bootx64.efi (systemd-stub 252.4-2-arch)
systemd-boot not installed in ESP.

No boot loaders listed in EFI Variables.

Boot Loader Entries:
        $BOOT: /efi (/dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df)

0 entries, no entry could be determined as default.
$

My crappy UEFI firmware isn't very consistent in it's handling of NVRAM entries so I find it easier to just not use them.

I'm using my own scripts and pacman hook to generate and sign them with my own SecureBoot key. I have to disable SecureBoot to start Windows on this machine :-)

EDIT: /EFI/Boot/bootx64.efi on the EFI system partition should be booted automatically if there are no specific NVRAM entries. This is how the Arch ISO image boots in UEFI mode.

Last edited by Head_on_a_Stick (2023-01-20 07:45:48)

Offline

#12 2023-01-20 07:47:40

d.ALT
Member
Registered: 2019-05-10
Posts: 539

Re: [SOLVED] prohibited by secure boot policy after grub update

Head_on_a_Stick wrote:

/EFI/Boot/bootx64.efi on the EFI system partition should be booted automatically if there are no specific NVRAM entries

Gotcha!


<49,17,III,I>    Fama di loro il mondo esser non lassa;
<50,17,III,I>    misericordia e giustizia li sdegna:
<51,17,III,I>    non ragioniam di lor, ma guarda e passa.

Offline

#13 2023-01-20 10:14:20

dikei
Member
Registered: 2010-12-08
Posts: 16

Re: [SOLVED] prohibited by secure boot policy after grub update

Head_on_a_Stick wrote:

Unified kernel images are even simpler than systemd-boot. I put mine at $ESP/EFI/Boot/bootx64.efi and so do without the need for a specific NVRAM entry as well.

I'm dual booting, so using a boot loader is still nicer to me. With a boot menu, I don't have to spam F11 every time I want to boot into the other OS.

Systemd-boot also auto-detects any Unified Kernel Images, so you don't have to create boot entry manually, as long as you store the UKI in

esp/EFI/Linux/

Last edited by dikei (2023-01-20 10:15:37)

Offline

#14 2023-01-29 12:17:49

edge33
Member
Registered: 2023-01-29
Posts: 3

Re: [SOLVED] prohibited by secure boot policy after grub update

hey guys, wanted to chime in on this one, I am having the same issue with the "prohibited by secure boot policy", I saw on the bug trackers of other distributions. I set;

console_output console

in place of

gfxterm

with this I can see the characters in grub.
the message "prohibited by secure boot policy" is still present, do we have a way to check which module is the one that could not be loaded?

Offline

Board footer

Powered by FluxBB