[SOLVED] prohibited by secure boot policy after grub update

espritlibre · 2022-12-15 23:25:27

this is my first post on this forum, so please bear with me.

since grub updated a couple weeks back, i get this error "prohibited by secure boot policy" the machine still boots up fine but i have a HiDPi screen and hybrid graphics and the grub menu is tiny. "GRUB_GFXMODE=1280x1024x32" doesnt apply when secure boot is enabled, but it does when secure boot is disabled.
after grubs update i ran grub-install and grub-mkconfig like suggested in the update log.

sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab lssal luks lvm memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep smbios squash4 test true video videoinfo xfs zfs zfscrypt zfsinfo cpuid play tpm cryptodisk gcry_md5 gcry_rfc2268 gcry_sha256 gcry_sha512" --sbat /usr/share/grub/sbat.csv
sudo sbsign --key /etc/MOK/MOK.key --cert /etc/MOK/MOK.crt --output /efi/EFI/GRUB/grubx64.efi /efi/EFI/GRUB/grubx64.efi
sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sudo cp /efi/EFI/GRUB/grubx64.efi /boot/grubx64.efi
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo efibootmgr --unicode --disk /dev/nvme0n1p1 --create --label "Shim" --loader /EFI/GRUB/BOOTx64.efi

this setup was working fine until the upgrade, i'm clearly missing something here. my troubleshoot attempts lead to nothing. any help is appreciated.

cat /etc/default/grub

# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="ibt=off net.ifnames=0 lsm=landlock,yama,apparmor,integrity,bpf ipv6.disable=1 loglevel=3"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=4f1ca192-c9f6-4d00-8ce7-a9615f3b1635:cryptlvm cryptkey=rootfs:/root/cryptlvm.keyfile"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=1280x1024x32
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-blue/black"
GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
GRUB_BACKGROUND="/boot/grub/themes/background.png"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true
# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y
# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false

Last edited by espritlibre (2023-01-19 22:01:33)

3beb6e7c46a615a · 2022-12-16 08:43:25

The message indicates that grub tries to load an extra module, which isn't signed. By your symptoms, it's probably a video-related module. I presume you either need to sign all grub modules, or you need to include the relevant module in your grub-install call.

That said, I find your setup commands a bit strange. It looks as if you're signing the grub binary twice, first with sbsign (line 2), presumably for shim, and then again with sbctl (line 3), as if you were using your own secure boot keys. And then you're copying the signed EFI binary to "/boot"? Why's that?

And generally, unless you have a very specific reason for using Grub, I'd recommend to use systemd-boot instead. It's much simpler to set up and configure; in particular there are no modules, but only a single EFI binary, which is much easier to handle under secure boot.

seth · 2022-12-16 08:45:03

Please use code tags, not quote tags for file contents and shell IO

GRUB_ENABLE_CRYPTODISK=y

https://bbs.archlinux.org/viewtopic.php … 1#p2073901

Welcome to the forum.

dikei · 2023-01-18 06:42:38

This error is because Grub now forbids the loading of unsigned font files when running under Secure boot.
https://gitlab.com/git-mirrors/grub/-/c … 8617e1c9a5

As a result, it will show the error

prohibited by secure boot policy

when trying to load

/boot/grub/fonts/unicode.pf2
#or whatever font you're using

espritlibre · 2023-01-18 16:28:45

thanks for pointing this out! i tried to sign unicode.pf2 with sbctl but i get an error

$ sudo sbctl sign -s /boot/grub/fonts/unicode.pf2                         [1]
/boot/grub/fonts/unicode.pf2: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x4946

how to get this working?

dikei · 2023-01-18 23:54:27

I haven't figured it out yet.

dikei · 2023-01-19 05:46:41

espritlibre wrote:

thanks for pointing this out! i tried to sign unicode.pf2 with sbctl but i get an error
$ sudo sbctl sign -s /boot/grub/fonts/unicode.pf2                         [1]
/boot/grub/fonts/unicode.pf2: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x4946
how to get this working?

Basically sbctl only supports signing of PE binary, to sign other files you need to use GnuPG, basically:

Generate a GnuPG keypair
Embedded the public key into the grub EFi image
Sign the font file with GnuPG to get a detached signature file
```
/boot/grub/fonts/unicode.pf2
/boot/grub/fonts/unicode.pf2.sig
```

Read more here: https://casualhacking.io/blog/2020/5/24 … -a-yubikey

That's way too much work for me for little benefits, so I've switched to systemd-boot.

espritlibre · 2023-01-19 22:00:46

i've built grub without the commit you mentioned. this fixed my issue with the tiny font. for anyone experiencing the same issue you can follow the ArchWiki to create a patch.

i don't want to add more complexity with additional keys and signing... probably need to switch to systemd-boot in the near future. how was/is your experience with it?

[marking this thread as solved]

EDIT:
thanks to everybody trying to help

Last edited by espritlibre (2023-01-19 22:03:25)

Head_on_a_Stick · 2023-01-20 06:38:30

Unified kernel images are even simpler than systemd-boot. I put mine at $ESP/EFI/Boot/bootx64.efi and so do without the need for a specific NVRAM entry as well.

d.ALT · 2023-01-20 07:32:09

Head_on_a_Stick wrote:

without the need for a specific NVRAM entry as well.

Hey Head_on_a_Stick, how? Are you single-booting? How does your machine know where to look for the Unified Kernel Image executable?

WIKI wrote:

2.3 Directly from UEFI
efibootmgr can be used to create a UEFI boot entry for the .efi file

(https://wiki.archlinux.org/title/Unifie … _from_UEFI)

Head_on_a_Stick · 2023-01-20 07:42:26

Just single booting at the moment:

$ doas bootctl --no-p
System:
      Firmware: UEFI 2.70 (Lenovo 0.4368)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Boot into FW: supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Support Type #1 sort-key field
               ✗ Support @saved pseudo-entry
               ✗ Support Type #1 devicetree field
               ✓ Boot loader sets ESP information
         Stub: systemd-stub 252.4-2-arch
     Features: ✓ Stub sets ESP information
               ✓ Picks up credentials from boot partition
               ✓ Picks up system extension images from boot partition
               ✓ Measures kernel+command line+sysexts
          ESP: /dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df
         File: └─/EFI/BOOT/BOOTX64.EFI

Random Seed:
 Passed to OS: no
 System Token: set
       Exists: no

Available Boot Loaders on ESP:
          ESP: /efi (/dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df)
         File: └─/EFI/BOOT/bootx64.efi (systemd-stub 252.4-2-arch)
systemd-boot not installed in ESP.

No boot loaders listed in EFI Variables.

Boot Loader Entries:
        $BOOT: /efi (/dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df)

0 entries, no entry could be determined as default.
$

My crappy UEFI firmware isn't very consistent in it's handling of NVRAM entries so I find it easier to just not use them.

I'm using my own scripts and pacman hook to generate and sign them with my own SecureBoot key. I have to disable SecureBoot to start Windows on this machine :-)

EDIT: /EFI/Boot/bootx64.efi on the EFI system partition should be booted automatically if there are no specific NVRAM entries. This is how the Arch ISO image boots in UEFI mode.

Last edited by Head_on_a_Stick (2023-01-20 07:45:48)

d.ALT · 2023-01-20 07:47:40

Head_on_a_Stick wrote:

/EFI/Boot/bootx64.efi on the EFI system partition should be booted automatically if there are no specific NVRAM entries

Gotcha!

dikei · 2023-01-20 10:14:20

Head_on_a_Stick wrote:

Unified kernel images are even simpler than systemd-boot. I put mine at $ESP/EFI/Boot/bootx64.efi and so do without the need for a specific NVRAM entry as well.

I'm dual booting, so using a boot loader is still nicer to me. With a boot menu, I don't have to spam F11 every time I want to boot into the other OS.

Systemd-boot also auto-detects any Unified Kernel Images, so you don't have to create boot entry manually, as long as you store the UKI in

esp/EFI/Linux/

Last edited by dikei (2023-01-20 10:15:37)

edge33 · 2023-01-29 12:17:49

hey guys, wanted to chime in on this one, I am having the same issue with the "prohibited by secure boot policy", I saw on the bug trackers of other distributions. I set;

console_output console

in place of

gfxterm

with this I can see the characters in grub.
the message "prohibited by secure boot policy" is still present, do we have a way to check which module is the one that could not be loaded?

espritlibre · 2023-02-02 21:23:03

edge33 wrote:

hey guys, wanted to chime in on this one, I am having the same issue with the "prohibited by secure boot policy", I saw on the bug trackers of other distributions. I set;
console_output console
in place of
gfxterm
with this I can see the characters in grub.
the message "prohibited by secure boot policy" is still present, do we have a way to check which module is the one that could not be loaded?

it's not a module that couldn't be loaded, it's the font file itself. look at post #4 and #8

MrSplitsG · 2023-06-06 08:26:54

If anyone is still interested, I managed to get my grub working with secure boot by following the following link:
https://projectacrn.github.io/latest/tu … -grub.html
Make backups of original grubx64.efi, unicode.pf2 and any other files you will be modifying for in case something goes wrong, might be worth also having a usb bootable or recovery environment ready as well.

created Working Directory:

mkdir GrubMake
cd GrubMake

Created the GnuPG keys needed:

mkdir --mode 0700 keys
gpg --homedir keys  --gen-key
gpg --homedir keys --export > boot.key

created grub.init.cfg Containing:

set check_signatures=enforce
export check_signatures

search --no-floppy --fs-uuid --set=root "Your Boot Partitions UUID"
configfile /grub.cfg # Change to your grub.cfg file location e.g. /@boot/boot/grub/grub.cfg with a btrfs setup
echo /grub.cfg did not boot the system, rebooting in 10 seconds.
sleep 10
reboot

signed the grub.init.cfg with GnuPG:

gpg --homedir keys --detach-sign grub.init.cfg

copied the unicode.pf2 to working directory:

cp /boot/grub/unicode.pf2 .

signed the unicode.pf2 file with GnuPG:

gpg --homedir keys --detach-sign unicode.pf2

used the following script to generate grubx64.efi -> I didn't create the script I just used the variables and commands in terminal, also I changed the MODULES to what i found on UEFI Secure boot archwiki:

#!/bin/bash
#

TARGET_EFI='path/to/grubx64.efi'

# GRUB doesn't allow loading new modules from disk when secure boot is in
# effect, therefore pre-load the required modules.

## I wasn't using the modules in the article I was using modules I found on UEFI Secureboot archwiki, I included them all for testing will be removing what im not using eventually, modules I used are listed below

MODULES="all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab lssal memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep smbios squash4 test true video xfs zfs zfscrypt zfsinfo play cpuid tpm cryptodisk luks lvm mdraid09 mdraid1x raid5rec raid6rec"

grub-mkstandalone --directory /usr/lib/grub/x86_64-efi --format x86_64-efi --modules "$MODULES" --pubkey ./boot.key --sbat /usr/share/grub/sbat.csv--output ./grubx64.efi "boot/grub/grub.cfg=./grub.init.cfg" "boot/grub/grub.cfg.sig=./grub.init.cfg.sig"

echo "writing signed grub.efi to '$TARGET_EFI'"
sudo cp ./grubx64.efi "$TARGET_EFI"

signed my grubx64.efi with keys I already created for shim-signed:

sudo sbsign --key /path/to/.key/file --cert /path/to/.crt/file --output /esp/path/to/grubx64.efi /esp/path/to/grubx64.efi

copy the unicode.pf2 and the unicode.pf2.sig file back to /boot/grub/fonts/

cp unicode.pf2 unicode.pf2.sig /boot/grub/fonts/

I also didn't carry on with the article after the bash script as I signed via shim
the article above mentions signing the grub.cfg configfile as well but i didn't do this and it worked for me, if there are issues refer to the article, I managed to fix my error: prohibited by secure boot policy with the article above.

Last edited by MrSplitsG (2023-06-06 08:33:06)

1ng0 · 2024-06-21 17:26:00

MrSplitsG wrote:

Created the GnuPG keys needed:

mkdir --mode 0700 keys
gpg --homedir keys  --gen-key
gpg --homedir keys --export > boot.key

Just for anyone passing by in the future, I saw the same effect with gnupg 2.4.5 and grub 2.12 when gpg --gen-key creates an ed25519 key by default which is silently ignored by grub (or the pgp module) when passing it with the --pubkey flag. Make sure to use gpg --full-gen-key and select to create an RSA key.

Best whishes!

chowmander · 2025-04-13 04:08:18

MrSplitsG wrote:
created Working Directory:
mkdir GrubMake
cd GrubMake

Still very new to arch linux, trying to get secure boot working with Grub. Does this working directory need to be in /boot/grub?

Last edited by chowmander (2025-04-13 04:09:18)

seth · 2025-04-13 06:33:54

It's a transactional directory - the results get copied to the ESP and the directory then deleted.
You can create it in /tmp and call it "foomacbarface"

Arch Linux

#1 2022-12-15 23:25:27

[SOLVED] prohibited by secure boot policy after grub update

#2 2022-12-16 08:43:25

Re: [SOLVED] prohibited by secure boot policy after grub update

#3 2022-12-16 08:45:03

Re: [SOLVED] prohibited by secure boot policy after grub update

#4 2023-01-18 06:42:38

Re: [SOLVED] prohibited by secure boot policy after grub update

#5 2023-01-18 16:28:45

Re: [SOLVED] prohibited by secure boot policy after grub update

#6 2023-01-18 23:54:27

Re: [SOLVED] prohibited by secure boot policy after grub update

#7 2023-01-19 05:46:41

Re: [SOLVED] prohibited by secure boot policy after grub update

#8 2023-01-19 22:00:46

Re: [SOLVED] prohibited by secure boot policy after grub update

#9 2023-01-20 06:38:30

Re: [SOLVED] prohibited by secure boot policy after grub update

#10 2023-01-20 07:32:09

Re: [SOLVED] prohibited by secure boot policy after grub update

#11 2023-01-20 07:42:26

Re: [SOLVED] prohibited by secure boot policy after grub update

#12 2023-01-20 07:47:40

Re: [SOLVED] prohibited by secure boot policy after grub update

#13 2023-01-20 10:14:20

Re: [SOLVED] prohibited by secure boot policy after grub update

#14 2023-01-29 12:17:49

Re: [SOLVED] prohibited by secure boot policy after grub update

#15 2023-02-02 21:23:03

Re: [SOLVED] prohibited by secure boot policy after grub update

#16 2023-06-06 08:26:54

Re: [SOLVED] prohibited by secure boot policy after grub update

#17 2024-06-21 17:26:00

Re: [SOLVED] prohibited by secure boot policy after grub update

#18 2025-04-13 04:08:18

Re: [SOLVED] prohibited by secure boot policy after grub update

#19 2025-04-13 06:33:54

Re: [SOLVED] prohibited by secure boot policy after grub update

Board footer