You are not logged in.
- Topics: Active | Unanswered
#1 2023-03-17 11:32:08
- Gravydigger
- Member
- Registered: 2023-03-17
- Posts: 8
[SOLVED] Difficult implementing secure boot with GRUB
Hello,
After installing Arch, I've been trying to enable Secure Boot on my laptop. Using sbctl, I've managed to enroll the keys & sign the files needed for secure boot. However, as I am using GRUB, the wiki states that I need to include all of the necessary modules in the binary. Using the provided Ubuntu build script, I placed most of the modules (basic, platform-specific, and advanced) into /etc/profile as an enviroment variable.
From there, I ran the following command as root:
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules=${GRUB_MODULES}
grub-install: error: More than one install device?I couldn't really find any useful information on what that error meant on Google, but I managed to figure out that it probably has to do something with how my $GRUB_MODULES enviroment variable is set. I assumed that I might have duplicate modules, but re-checking shows that each module is unique.
I'd appreciate some help about where I am going wrong.
Thanks!
Last edited by Gravydigger (2023-03-23 10:54:12)
Offline
#2 2023-03-17 23:14:41
- espritlibre
- Member
- Registered: 2022-12-15
- Posts: 35
Re: [SOLVED] Difficult implementing secure boot with GRUB
undo what you have done in /etc/profile and install grub like this:
don't copy paste! read the command...
# grub-install --target=x86_64-efi --efi-directory=/path/to/efi --bootloader-id=GRUB --modules="all_video boot btrfs cat and whatever else module you need" --sbat /usr/share/grub/sbat.csvyou need to run that command whenever grub is updated followed by:
# grub-mkconfig -o /boot/grub/grub.cfgwelcome to the forum
Last edited by espritlibre (2023-03-17 23:17:00)
Offline
#3 2023-03-18 02:03:10
- Gravydigger
- Member
- Registered: 2023-03-17
- Posts: 8
Re: [SOLVED] Difficult implementing secure boot with GRUB
Thanks for you reply!
I reverted my changes in /etc/profile add included all of the modules in the command line (all of the basic modules, as well as play, tpm, cryptodisk, luks, and lvm).
After updating grub and rebooting, I was able to get ino GRUB (yay), although it seems like I still needed to do some work (the border was replaced with ?).
I continued into Arch linux, only to have the following show up:
Loading Linux linux-lts ...
error: shim_lock protocol not found.
Loading initial ramdisk ...
error: you need to load the kernel first.
Press any key to continue...I disabled Secure Boot and ran grub-install with --disable-shim-lock. It resulted with my laptop asking me which bootloader I want to load, but never actually entering said bootloader.
I then procceeded to install shim_signed and copied the corrosponding files into the boot bundle(not sure if thats the correct term), signed everything with sbctl, and tried again:
Loading Linux linux-lts ...
error: bad shim signature.
Loading initial ramdisk ...
error: you need to load the kernel first.
Press any key to continue...As a sanity check, should I just follow the wiki and set up shim with a key, and stop using sbctl?
Thanks for dealing with my newbness ^^;
Offline
#4 2023-03-18 13:46:41
- espritlibre
- Member
- Registered: 2022-12-15
- Posts: 35
Re: [SOLVED] Difficult implementing secure boot with GRUB
I disabled Secure Boot and ran grub-install with --disable-shim-lock. It resulted with my laptop asking me which bootloader I want to load, but never actually entering said bootloader.
you can undo that
you didn't follow the wiki and doing the things upside down now. using sbctl is fine, you skipped to set up shim properly
3.2.2.1 Set up shim
3.2.2.1.2 shim with key
3.2.2.1.3 shim with key and GRUB
since you already enrolled your keys with sbctl, double check if everything needed is signed with your keys. check your boot order with efibootmgr or in the bios, if you have followed everything correctly you should boot with the "Shim" nvram entry with secure boot enabled.
Thanks for dealing with my newbness ^^;
everybody is doing something for the first time, no worries
Offline
#5 2023-03-23 10:53:08
- Gravydigger
- Member
- Registered: 2023-03-17
- Posts: 8
Re: [SOLVED] Difficult implementing secure boot with GRUB
Good news, Secure boot is now working!
After properly following the correct steps, and making sure I signed /boot/vmlinuz-linux-lts, GRUB is now properly working with secure boot!
Thank you espritlibre for helping me out, I've appreciated it! 
Now, the only thing left to do is to get GRUB to use the unicode font...
Offline