Arch Linux

espritlibre

Member

Registered: 2022-12-15

Posts: 129

[SOLVED] grub update breaks secure boot - error: bad shim signature.

after updating to grub-2:2.06.r566.g857af0e17-1-x86_64 my secure boot is broken.

error: bad shim signature.
error: you need to load the kernel first.

i used my favourite search engine but didn't come up with a fix: after downgrading to grub-2:2.06.r499.ge67a551a4-2 followed by:

sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab lssal luks lvm memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep smbios squash4 test true video videoinfo xfs zfs zfscrypt zfsinfo cpuid play tpm cryptodisk gcry_md5 gcry_rfc2268 gcry_sha256 gcry_sha512" --sbat /usr/share/grub/sbat.csv
sudo sbsign --key /etc/MOK/MOK.key --cert /etc/MOK/MOK.crt --output /efi/EFI/GRUB/grubx64.efi /efi/EFI/GRUB/grubx64.efi && sudo sbctl sign -s /efi/EFI/GRUB/grubx64.efi
sudo cp /efi/EFI/GRUB/grubx64.efi /boot/grubx64.efi && sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo efibootmgr --unicode --disk /dev/nvme0n1p1 --create --label "Shim" --loader /EFI/GRUB/BOOTx64.efi

grub boots just fine again

Last edited by espritlibre (2023-07-02 21:52:31)

AzureZeng

Member

Registered: 2023-01-27

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Same problem. Thanks for giving tips.

-thc

Member

Registered: 2017-03-15

Posts: 504

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

The same problem exists with the "CA keys" method described here: https://wiki.archlinux.org/title/GRUB#S … ot_support

The first error is something in the line of "error loading image" instead.

Workaround: Downgrading followed by grub-install/grub-mkconfig and signing the efi binary (complete rollback to 499).

Rayshabh

Member

From: Proxima Centauri b

Registered: 2022-04-07

Posts: 38

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

The same problem exists with the "CA keys" method described here: https://wiki.archlinux.org/title/GRUB#S … ot_support

The first error is something in the line of "error loading image" instead.

Workaround: Downgrading followed by grub-install/grub-mkconfig and signing the efi binary (complete rollback to 499).

Yup, facing the same issue and have resolved by downgrading to r499. Now everything is working as before but the GRUB Menu Border is now replaced by weird '?' symbol. Are you all facing the same issue as mine?
I tried configuring the default font manually by setting GRUB_FONT=/boot/grub/fonts/unicode.pf2 in /etc/default/grub and then running #grub-mkconfig -o /boot/grub/grub.cfg, but the problem still persist.

AzureZeng

Member

Registered: 2023-01-27

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

The same problem exists with the "CA keys" method described here: https://wiki.archlinux.org/title/GRUB#S … ot_support

The first error is something in the line of "error loading image" instead.

Workaround: Downgrading followed by grub-install/grub-mkconfig and signing the efi binary (complete rollback to 499).

Yup, facing the same issue and have resolved by downgrading to r499. Now everything is working as before but the GRUB Menu Border is now replaced by weird '?' symbol. Are you all facing the same issue as mine?
I tried configuring the default font manually by setting GRUB_FONT=/boot/grub/fonts/unicode.pf2 in /etc/default/grub and then running #grub-mkconfig -o /boot/grub/grub.cfg, but the problem still persist.

You need to use OpenGPG to sign all files GRUB needed, otherwise the font file will not load

Brainos

Member

Registered: 2023-06-22

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

There isn't any ways to fix this for now unless downgrade grub, so I  switch to rEFInd.
I copy my MOK cert and key files into /etc/refind.d/keys and install rEFInd as https://wiki.archlinux.org/title/REFInd … _Owner_Key. Now secure boot works again.

Jark5455

Member

Registered: 2023-06-22

Posts: 4

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I first thought it was an issue with the actual shim signature, since the shim-signed package on the aur expired on Dec 5 2022, but it appears that even with ubuntus shim efi its still not working.

Rayshabh

Member

From: Proxima Centauri b

Registered: 2022-04-07

Posts: 38

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

There isn't any ways to fix this for now unless downgrade grub, so I  switch to rEFInd.
I copy my MOK cert and key files into /etc/refind.d/keys and install rEFInd as https://wiki.archlinux.org/title/REFInd … _Owner_Key. Now secure boot works again.

Yep, instead of scratching my head and fix the problem, I chose to remove GRUB and installed systemd-boot instead!

Rayshabh

Member

From: Proxima Centauri b

Registered: 2022-04-07

Posts: 38

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I first thought it was an issue with the actual shim signature, since the shim-signed package on the aur expired on Dec 5 2022, but it appears that even with ubuntus shim efi its still not working.

The problem is with GRUB and not with SHIM.

39773ea052d3f918e11789200

Member

Registered: 2023-06-25

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I had the same issue, although I have a slightly different configuration.  I have secure boot enabled but also with an encrypted boot partition.  Reverting back to 499 fixed the issue.

xerxes_

Member

Registered: 2018-04-29

Posts: 681

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I have to ask to confirm: new version of grub brakes secure boot, but if boot partition is not encrypted, system is still bootable?

Rayshabh

Member

From: Proxima Centauri b

Registered: 2022-04-07

Posts: 38

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I had the same issue, although I have a slightly different configuration.  I have secure boot enabled but also with an encrypted boot partition.  Reverting back to 499 fixed the issue.

Yup it works after reverting back to r499, but then I was not able to produce the border line around the GRUB menu like I'd before. The border line was replaced by weird '?' symbol. Also the 'Up' and 'Down' arrows too were replaced by '?' symbols.

Rayshabh

Member

From: Proxima Centauri b

Registered: 2022-04-07

Posts: 38

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I have to ask to confirm: new version of grub brakes secure boot, but if boot partition is not encrypted, system is still bootable?

Yeah it is bootable with/without encryption.

Brainos

Member

Registered: 2023-06-22

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I have to ask to confirm: new version of grub brakes secure boot, but if boot partition is not encrypted, system is still bootable?

No, my partition is not encrypted and not using lvm, but secure boot still not work when using grub 566.

Jark5455

Member

Registered: 2023-06-22

Posts: 4

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Hmm, I checked the patch, all it does is add

__grub_efi_api 

to  EFI API calls, https://lists.gnu.org/archive/html/grub … 00092.html

Last edited by Jark5455 (2023-06-26 14:44:18)

Rayshabh

Member

From: Proxima Centauri b

Registered: 2022-04-07

Posts: 38

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I have to ask to confirm: new version of grub brakes secure boot, but if boot partition is not encrypted, system is still bootable?

No, my partition is not encrypted and not using lvm, but secure boot still not work when using grub 566.

Downgrade to GRUB r499 and redo these steps

# grub-install --target=x86_64-efi --efi-directory=esp --modules=${GRUB_MODULES} --sbat /usr/share/grub/sbat.csv
# sbsign --key MOK.key --cert MOK.crt --output esp/EFI/GRUB/grubx64.efi esp/EFI/GRUB/grubx64.efi
# cp esp/GRUB/grubx64.efi esp/boot/grubx64.efi
# grub-mkconfig -o /boot/grub/grub.cfg
# efibootmgr --unicode --disk /dev/sdX --part Y --create --label "Shim" --loader /EFI/BOOT/BOOTx64.EFI

Note: Replace GRUB_MODULES with the modules needed for your system. For more info, please refer to https://wiki.archlinux.org/title/Unifie … y_and_GRUB.
Also replace X and Y according to your boot partition.
For instance, in my system, it is sda1.

ua4000

Member

Registered: 2015-10-14

Posts: 421

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Is there a bug open ? Which one ? If not it would be great if someone affected can create one.
https://bugs.archlinux.org/?project=1&string=grub
and use an existing bug as example how it's done.

Downgrade grub is no longterm solution ...

espritlibre

Member

Registered: 2022-12-15

Posts: 129

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

i just created the bug report, you can vote it up here

Mod edit: please do not link to the vote url, link to the bug itself and let people manually vote if they want to -- WorMzy

EDIT:
the devs fixed it here's the patch
i'm currently running grub-2:2.06.r566.g857af0e17-1-x86_64 with the applied patch and secure boot works again.

Last edited by espritlibre (2023-07-02 22:11:13)

agapito

Member

From: Who cares.

Registered: 2008-11-13

Posts: 664

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I tried grub 2:2.06.r591.g6425c12cd-1 from core-testing with no luck.

Is this really solved for you guys?

Last edited by agapito (2023-07-04 11:13:43)

---

Excuse my poor English.

espritlibre

Member

Registered: 2022-12-15

Posts: 129

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

I tried grub 2:2.06.r591.g6425c12cd-1 from core-testing with no luck.

Is this really solved for you guys?

it's fixed in grub-2:2.06.r591.g6425c12cd-1

-thc

Member

Registered: 2017-03-15

Posts: 504

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

The problem still exists with grub-2:2.06.r591.g6425c12cd-1 and the "CA keys" method described here: https://wiki.archlinux.org/title/GRUB#S … ot_support

At first grub seems to load the images (without an error message) but jumps straight back to it's menu.
The second try yields the error "Load the kernel image first" (or similar) before jumping back.

Workaround: Downgrading followed by grub-install/grub-mkconfig and signing the efi binary (complete rollback to 499).

agapito

Member

From: Who cares.

Registered: 2008-11-13

Posts: 664

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Workaround: Downgrading followed by grub-install/grub-mkconfig and signing the efi binary (complete rollback to 499).

That is what i did too.

---

Excuse my poor English.

39773ea052d3f918e11789200

Member

Registered: 2023-06-25

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Agreed, fix didn't work.
Proof: https://imgur.com/a/S2BCvVJ

This is with a new .efi file built:

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --modules="tpm" --disable-shim-lock

sudo grub-mkconfig -o /boot/grub/grub.cfg

sudo sbctl sign -s /boot/efi/EFI/grub/grubx64.efi

Zedeldi

Member

Registered: 2023-07-06

Posts: 1

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Since grub-2:2.06.r591, this issue appears to be resolved for me. All required grub modules must be embedded in the EFI binary though, as described in the wiki:

grub_modules="all_video boot btrfs cat chain configfile echo efifwsetup efinet \
ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus \
iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab \
lssal memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 \
png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep \
smbios squash4 test true video xfs zfs zfscrypt zfsinfo cpuid play tpm cryptodisk \
gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa \
gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa \
gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish \
gcry_whirlpool luks lvm mdraid09 mdraid1x raid5rec raid6rec"

grub-install --target=x86_64-efi --efi-directory=/boot/esp --bootloader-id=GRUB --modules=${grub_modules} --sbat /usr/share/grub/sbat.csv
grub-mkconfig -o /boot/grub/grub.cfg
sbsign --key MOK.key --cert MOK.crt --output /boot/esp/EFI/GRUB/grubx64.efi /boot/esp/EFI/GRUB/grubx64.efi

Using the above code, with a signed kernel, I am able to boot with secure boot enabled with no issues.

39773ea052d3f918e11789200

Member

Registered: 2023-06-25

Posts: 3

Re: [SOLVED] grub update breaks secure boot - error: bad shim signature.

Since grub-2:2.06.r591, this issue appears to be resolved for me. All required grub modules must be embedded in the EFI binary though, as described in the wiki:

grub_modules="all_video boot btrfs cat chain configfile echo efifwsetup efinet \
ext2 fat font gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus \
iso9660 jpeg keystatus loadenv loopback linux ls lsefi lsefimmap lsefisystab \
lssal memdisk minicmd normal ntfs part_apple part_msdos part_gpt password_pbkdf2 \
png probe reboot regexp search search_fs_uuid search_fs_file search_label sleep \
smbios squash4 test true video xfs zfs zfscrypt zfsinfo cpuid play tpm cryptodisk \
gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa \
gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa \
gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish \
gcry_whirlpool luks lvm mdraid09 mdraid1x raid5rec raid6rec"

grub-install --target=x86_64-efi --efi-directory=/boot/esp --bootloader-id=GRUB --modules=${grub_modules} --sbat /usr/share/grub/sbat.csv
grub-mkconfig -o /boot/grub/grub.cfg
sbsign --key MOK.key --cert MOK.crt --output /boot/esp/EFI/GRUB/grubx64.efi /boot/esp/EFI/GRUB/grubx64.efi

Using the above code, with a signed kernel, I am able to boot with secure boot enabled with no issues.

Ah yes, so it now works after signing the kernel (which wasn't required before).

sudo sbctl sign -s /boot/vmlinuz-linux