You are not logged in.

#1 2022-12-24 17:20:32

mz
Member
Registered: 2015-07-11
Posts: 43

[SOLVED] Signed official iso secure boot fails

I built a signed official iso using these instructions:
https://wiki.archlinux.org/title/Unifie … ustom_keys
However, the firmware refuses to boot it, saying "Operating system loader failed signature verification".

I mounted the USB stick partitions and verified (sbverify) that all five files are correctly signed with the MOK. This is the same MOK that I use for normal booting from the hard drive.

I'm wondering if there is something else on the USB drive that has to be signed. Any ideas?

Edit:

Based on reading the NSA document https://media.defense.gov/2020/Sep/15/2 … 200915.PDF I think that the MOK is useless without shim, and the instructions do not install shim. Has anyone tried this and gotten it to work?

Last edited by mz (2022-12-24 19:24:53)

Offline

#2 2022-12-24 18:12:45

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 530

Re: [SOLVED] Signed official iso secure boot fails

That's because the UEFI doesn't read the MokList. MOKs are a shim-specific thing and the ISO doesn't contain shim.

It could be possible to place the shim EFI binaries in /EFI/BOOT/BOOTx64.EFI & /EFI/BOOT/BOOTIA32.EFI and place the standalone GRUB EFI binaries in /EFI/BOOT/grubx64.efi & /EFI/BOOT/grubia32.efi, but reusing the standalone GRUB from the ISO is not possible since it was created with --disable-shim-lock (without that option, it is not possible to use Secure Boot signed GRUB without shim; see https://gitlab.archlinux.org/archlinux/ … a76b1c69e3 ).

A not so pretty solution would be to create the GRUB EFI binaries yourself. E.g. something like this (untested):

$ cat <<'EOF' > /tmp/grub.cfg
if ! [ -d "$cmdpath" ]; then
    # On some firmware, GRUB has a wrong cmdpath when booted from an optical disc.
    # https://gitlab.archlinux.org/archlinux/archiso/-/issues/183
    if regexp --set=1:isodevice '^(\([^)]+\))\/?[Ee][Ff][Ii]\/[Bb][Oo][Oo][Tt]\/?$' "$cmdpath"; then
        cmdpath="${isodevice}/EFI/BOOT"
    fi
fi
configfile "${cmdpath}/grub.cfg"
EOF
$ grub-mkstandalone -O i386-efi \
	--modules="all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd" \
	--locales="en@quot" \
	--themes="" \
	--sbat=/usr/share/grub/sbat.csv \
	-o grubia32.efi "boot/grub/grub.cfg=/tmp/grub.cfg"
$ grub-mkstandalone -O x86_64-efi \
	--modules="all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 usbserial_usbdebug video xfs zstd" \
	--locales="en@quot" \
	--themes="" \
	--sbat=/usr/share/grub/sbat.csv \
	-o grubx64.efi "boot/grub/grub.cfg=/tmp/grub.cfg"
$ sbsign ...
$ mcopy -D oO -i eltorito_img2_uefi.img grubx64.efi grubia32.efi ::/EFI/BOOT/
$ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/
$ mcopy -D oO -i eltorito_img2_uefi.img /usr/share/shim-signed/shimx64.efi ::/EFI/BOOT/BOOTx64.EFI
$ mcopy -D oO -i eltorito_img2_uefi.img /usr/share/shim-signed/shimia32.efi ::/EFI/BOOT/BOOTIA32.EFI
$ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \
	-outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \
	-boot_image any replay \
	-append_partition 2 0xef eltorito_img2_uefi.img \
	-map /usr/share/shim-signed/shimx64.efi /EFI/BOOT/BOOTx64.EFI \
	-map /usr/share/shim-signed/shimia32.efi /EFI/BOOT/BOOTIA32.EFI \
	-map grubx64.efi /EFI/BOOT/grubx64.efi \
	-map grubia32.efi /EFI/BOOT/grubia32.efi \
	-map shellx64.efi /shellx64.efi \
	-map shellia32.efi /shellia32.efi \
	-map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux

It's entirely possible that eltorito_img2_uefi.img will not have enough free space. You can omit touching the IA32 stuff and maybe it will fit.

Edit: quoted 'EOF'.

Last edited by nl6720 (2022-12-24 18:17:52)

Offline

#3 2022-12-24 19:23:59

mz
Member
Registered: 2015-07-11
Posts: 43

Re: [SOLVED] Signed official iso secure boot fails

So I guess that the wiki instructions could have worked if I had originally set up secure boot this way:

https://wiki.archlinux.org/title/Unifie … r_own_keys

instead of this way:

https://wiki.archlinux.org/title/Unifie … oot_loader.

Edit:

Better results using mkarchiso and the patch referenced here:

https://bbs.archlinux.org/viewtopic.php?id=272809

Last edited by mz (2022-12-24 23:32:54)

Offline

Board footer

Powered by FluxBB