[SOLVED] prohibited by secure boot policy after grub update

espritlibre · 2022-12-15 23:25:27

this is my first post on this forum, so please bear with me.

since grub updated a couple weeks back, i get this error "prohibited by secure boot policy" the machine still boots up fine but i have a HiDPi screen and hybrid graphics and the grub menu is tiny. "GRUB_GFXMODE=1280x1024x32" doesnt apply when secure boot is enabled, but it does when secure boot is disabled.
after grubs update i ran grub-install and grub-mkconfig like suggested in the update log.

sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab lssal luks lvm memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep smbios squash4 test true video videoinfo xfs zfs zfscrypt zfsinfo cpuid play tpm cryptodisk gcry_md5 gcry_rfc2268 gcry_sha256 gcry_sha512" --sbat /usr/share/grub/sbat.csv
sudo sbsign --key /etc/MOK/MOK.key --cert /etc/MOK/MOK.crt --output /efi/EFI/GRUB/grubx64.efi /efi/EFI/GRUB/grubx64.efi
sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sudo cp /efi/EFI/GRUB/grubx64.efi /boot/grubx64.efi
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo efibootmgr --unicode --disk /dev/nvme0n1p1 --create --label "Shim" --loader /EFI/GRUB/BOOTx64.efi

this setup was working fine until the upgrade, i'm clearly missing something here. my troubleshoot attempts lead to nothing. any help is appreciated.

cat /etc/default/grub

# GRUB boot loader configuration
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="ibt=off net.ifnames=0 lsm=landlock,yama,apparmor,integrity,bpf ipv6.disable=1 loglevel=3"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=4f1ca192-c9f6-4d00-8ce7-a9615f3b1635:cryptlvm cryptkey=rootfs:/root/cryptlvm.keyfile"
# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu
# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console
# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `videoinfo'
GRUB_GFXMODE=1280x1024x32
# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep
# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true
# Uncomment and set to the desired menu colors. Used by normal and wallpaper
# modes only. Entries specified as foreground/background.
GRUB_COLOR_NORMAL="light-blue/black"
GRUB_COLOR_HIGHLIGHT="light-cyan/blue"
# Uncomment one of them for the gfx desired, a image background or a gfxtheme
GRUB_BACKGROUND="/boot/grub/themes/background.png"
#GRUB_THEME="/path/to/gfxtheme"
# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"
# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true
# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y
# Probing for other operating systems is disabled for security reasons. Read
# documentation on GRUB_DISABLE_OS_PROBER, if still want to enable this
# functionality install os-prober and uncomment to detect and include other
# operating systems.
#GRUB_DISABLE_OS_PROBER=false

Last edited by espritlibre (2023-01-19 22:01:33)

lunaryorn · 2022-12-16 08:43:25

The message indicates that grub tries to load an extra module, which isn't signed. By your symptoms, it's probably a video-related module. I presume you either need to sign all grub modules, or you need to include the relevant module in your grub-install call.

That said, I find your setup commands a bit strange. It looks as if you're signing the grub binary twice, first with sbsign (line 2), presumably for shim, and then again with sbctl (line 3), as if you were using your own secure boot keys. And then you're copying the signed EFI binary to "/boot"? Why's that?

And generally, unless you have a very specific reason for using Grub, I'd recommend to use systemd-boot instead. It's much simpler to set up and configure; in particular there are no modules, but only a single EFI binary, which is much easier to handle under secure boot.

seth · 2022-12-16 08:45:03

Please use code tags, not quote tags for file contents and shell IO

GRUB_ENABLE_CRYPTODISK=y

https://bbs.archlinux.org/viewtopic.php … 1#p2073901

Welcome to the forum.

dikei · 2023-01-18 06:42:38

This error is because Grub now forbids the loading of unsigned font files when running under Secure boot.
https://gitlab.com/git-mirrors/grub/-/c … 8617e1c9a5

As a result, it will show the error

prohibited by secure boot policy

when trying to load

/boot/grub/fonts/unicode.pf2
#or whatever font you're using

espritlibre · 2023-01-18 16:28:45

thanks for pointing this out! i tried to sign unicode.pf2 with sbctl but i get an error

$ sudo sbctl sign -s /boot/grub/fonts/unicode.pf2                         [1]
/boot/grub/fonts/unicode.pf2: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x4946

how to get this working?

dikei · 2023-01-18 23:54:27

I haven't figured it out yet.

dikei · 2023-01-19 05:46:41

espritlibre wrote:

thanks for pointing this out! i tried to sign unicode.pf2 with sbctl but i get an error
$ sudo sbctl sign -s /boot/grub/fonts/unicode.pf2                         [1]
/boot/grub/fonts/unicode.pf2: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x4946
how to get this working?

Basically sbctl only supports signing of PE binary, to sign other files you need to use GnuPG, basically:

Generate a GnuPG keypair
Embedded the public key into the grub EFi image
Sign the font file with GnuPG to get a detached signature file
```
/boot/grub/fonts/unicode.pf2
/boot/grub/fonts/unicode.pf2.sig
```

Read more here: https://casualhacking.io/blog/2020/5/24 … -a-yubikey

That's way too much work for me for little benefits, so I've switched to systemd-boot.

espritlibre · 2023-01-19 22:00:46

i've built grub without the commit you mentioned. this fixed my issue with the tiny font. for anyone experiencing the same issue you can follow the ArchWiki to create a patch.

i don't want to add more complexity with additional keys and signing... probably need to switch to systemd-boot in the near future. how was/is your experience with it?

[marking this thread as solved]

EDIT:
thanks to everybody trying to help

Last edited by espritlibre (2023-01-19 22:03:25)

Head_on_a_Stick · 2023-01-20 06:38:30

Unified kernel images are even simpler than systemd-boot. I put mine at $ESP/EFI/Boot/bootx64.efi and so do without the need for a specific NVRAM entry as well.

d.ALT · 2023-01-20 07:32:09

Head_on_a_Stick wrote:

without the need for a specific NVRAM entry as well.

Hey Head_on_a_Stick, how? Are you single-booting? How does your machine know where to look for the Unified Kernel Image executable?

WIKI wrote:

2.3 Directly from UEFI
efibootmgr can be used to create a UEFI boot entry for the .efi file

(https://wiki.archlinux.org/title/Unifie … _from_UEFI)

Head_on_a_Stick · 2023-01-20 07:42:26

Just single booting at the moment:

$ doas bootctl --no-p
System:
      Firmware: UEFI 2.70 (Lenovo 0.4368)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Boot into FW: supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Support Type #1 sort-key field
               ✗ Support @saved pseudo-entry
               ✗ Support Type #1 devicetree field
               ✓ Boot loader sets ESP information
         Stub: systemd-stub 252.4-2-arch
     Features: ✓ Stub sets ESP information
               ✓ Picks up credentials from boot partition
               ✓ Picks up system extension images from boot partition
               ✓ Measures kernel+command line+sysexts
          ESP: /dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df
         File: └─/EFI/BOOT/BOOTX64.EFI

Random Seed:
 Passed to OS: no
 System Token: set
       Exists: no

Available Boot Loaders on ESP:
          ESP: /efi (/dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df)
         File: └─/EFI/BOOT/bootx64.efi (systemd-stub 252.4-2-arch)
systemd-boot not installed in ESP.

No boot loaders listed in EFI Variables.

Boot Loader Entries:
        $BOOT: /efi (/dev/disk/by-partuuid/03c2c928-f488-4739-ae32-86af5bcca7df)

0 entries, no entry could be determined as default.
$

My crappy UEFI firmware isn't very consistent in it's handling of NVRAM entries so I find it easier to just not use them.

I'm using my own scripts and pacman hook to generate and sign them with my own SecureBoot key. I have to disable SecureBoot to start Windows on this machine :-)

EDIT: /EFI/Boot/bootx64.efi on the EFI system partition should be booted automatically if there are no specific NVRAM entries. This is how the Arch ISO image boots in UEFI mode.

Last edited by Head_on_a_Stick (2023-01-20 07:45:48)

d.ALT · 2023-01-20 07:47:40

Head_on_a_Stick wrote:

/EFI/Boot/bootx64.efi on the EFI system partition should be booted automatically if there are no specific NVRAM entries

Gotcha!

dikei · 2023-01-20 10:14:20

Head_on_a_Stick wrote:

Unified kernel images are even simpler than systemd-boot. I put mine at $ESP/EFI/Boot/bootx64.efi and so do without the need for a specific NVRAM entry as well.

I'm dual booting, so using a boot loader is still nicer to me. With a boot menu, I don't have to spam F11 every time I want to boot into the other OS.

Systemd-boot also auto-detects any Unified Kernel Images, so you don't have to create boot entry manually, as long as you store the UKI in

esp/EFI/Linux/

Last edited by dikei (2023-01-20 10:15:37)

edge33 · 2023-01-29 12:17:49

hey guys, wanted to chime in on this one, I am having the same issue with the "prohibited by secure boot policy", I saw on the bug trackers of other distributions. I set;

console_output console

in place of

gfxterm

with this I can see the characters in grub.
the message "prohibited by secure boot policy" is still present, do we have a way to check which module is the one that could not be loaded?

Arch Linux

#1 2022-12-15 23:25:27

[SOLVED] prohibited by secure boot policy after grub update

#2 2022-12-16 08:43:25

Re: [SOLVED] prohibited by secure boot policy after grub update

#3 2022-12-16 08:45:03

Re: [SOLVED] prohibited by secure boot policy after grub update

#4 2023-01-18 06:42:38

Re: [SOLVED] prohibited by secure boot policy after grub update

#5 2023-01-18 16:28:45

Re: [SOLVED] prohibited by secure boot policy after grub update

#6 2023-01-18 23:54:27

Re: [SOLVED] prohibited by secure boot policy after grub update

#7 2023-01-19 05:46:41

Re: [SOLVED] prohibited by secure boot policy after grub update

#8 2023-01-19 22:00:46

Re: [SOLVED] prohibited by secure boot policy after grub update

#9 2023-01-20 06:38:30

Re: [SOLVED] prohibited by secure boot policy after grub update

#10 2023-01-20 07:32:09

Re: [SOLVED] prohibited by secure boot policy after grub update

#11 2023-01-20 07:42:26

Re: [SOLVED] prohibited by secure boot policy after grub update

#12 2023-01-20 07:47:40

Re: [SOLVED] prohibited by secure boot policy after grub update

#13 2023-01-20 10:14:20

Re: [SOLVED] prohibited by secure boot policy after grub update

#14 2023-01-29 12:17:49

Re: [SOLVED] prohibited by secure boot policy after grub update

Board footer