GRUB does not launch after enabling Secure Boot

ArchStruggler · 2024-03-23 18:06:31

I've set up a dual boot Arch Linux installation on my Dell 7420 laptop. Windows was already installed. The steps I followed were:

Disabled Secure Boot
Used the same ESP as Windows. Had initially mounted ESP at /boot, but there was not enough space, so I re-installed and pointed to /efi. Later I also found some steps to expand the ESP, which I did
Installed Arch with GRUB
On booting, GRUB comes up and I can go to either Windows or Arch
I followed the instructions on the wiki to enable secure boot. But when I turn secure boot on, it boots directly to Windows. In fact, when it did not work, I pretty much did it over and over again with similar posts from other sites, like this one
My UEFI is FreeRTOs, and it does not have an obvious Setup Mode. I wonder if I made a mistake there. It has the following options:
1. Secure Mode which can be enabled or disabled
2. Secure Mode further has a Deployed Mode and an Audit Mode. The help text says that the Audit Mode should be chosen to make any changes to the keys
3. Then there is a Custom mode. This has to be enabled to be able to delete keys.
To run the sbctl steps, I disabled Secure Mode and selected Audit Mode. Then to delete the keys, I enabled the Custom Mode. The Audit Mode switched back to Deployed Mode on its own. Then I deleted all the keys and saved my changes
I ran all the steps in the wiki. Used the sed command to sign all the files. sbctl verify shows all files as signed. The vmlinuz file was not signed, so I signed it with sbctl sign -s
When I enable Secure Boot and disable the Custom Mode, the system boots straight to Windows. GRUB is still above Windows in the UEFI boot loaders list. The grubx64.efi is signed and that is what the UEFI GRUB option is referring to.

After doing a lot of research online, the only thing I could notice was that some files needed for booting are on /boot, not on /efi (which is my ESP). I'm not sure if this matters.
Or is it because I did not keep Audit Mode on in the Firmware?
Or is it because I have not created a UKI? But the wiki does not say it is required.

Thanks

Last edited by ArchStruggler (2024-03-23 18:10:53)

Head_on_a_Stick · 2024-03-23 19:48:16

Did you follow https://wiki.archlinux.org/title/GRUB#S … ot_support?

It's probably best to share the actual command output and configuration files rather than vague descriptions.

Last edited by Head_on_a_Stick (2024-03-23 19:48:51)

ArchStruggler · 2024-03-25 05:02:04

Thanks for the response. I'm posting below all the commands and their output. I've removed all the lines from the output of sbctl verify and sbctl -s sign that listed .mui and .dll files as they are too numerous. If you need those, I can post them also.
I started by putting the firmware in Custom Mode and deleting all the keys. Then after booting up, I ran the following

[root@my-dell ~]# rm -rf /usr/share/secureboot/
[root@my-dell ~]# grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
Installing for x86_64-efi platform.
grub-install: error: esp doesn't look like an EFI partition.
[root@my-dell ~]# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
Installing for x86_64-efi platform.
Installation finished. No error reported.
[root@my-dell ~]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux
Found initrd image: /boot/intel-ucode.img /boot/initramfs-linux.img
Warning: os-prober will be executed to detect other bootable partitions.
Its output will be used to detect bootable binaries on them and create new boot entries.
Found Windows Boot Manager on /dev/nvme0n1p1@/EFI/Microsoft/Boot/bootmgfw.efi
Adding boot menu entry for UEFI Firmware Settings ...
done
[root@my-dell ~]# sbctl status
Installed:	✗ sbctl is not installed
Setup Mode:	✗ Enabled
Secure Boot:	✗ Disabled
Vendor Keys:	none
[root@my-dell ~]# sbctl create-keys
Created Owner UUID 66e317bb-50a1-4f75-a7ae-b6a0dfa59772
Creating secure boot keys...✓ 
Secure boot keys created!
[root@my-dell ~]# sbctl enroll-keys -m
Enrolling keys to EFI variables...
With vendor keys from microsoft...✓ 
Enrolled keys to the EFI variables!
[root@my-dell ~]# sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	66e317bb-50a1-4f75-a7ae-b6a0dfa59772
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft
[root@my-dell ~]# sbctl verify
Verifying file database and EFI images in /efi...
✗ /efi/EFI/Boot/bootx64.efi is not signed
✗ /efi/EFI/Dell/SOS/Resources/bootres.dll is not signed
✗ /efi/EFI/Dell/SOS/Resources/en-US/bootres.dll.mui is not signed
✗ /efi/EFI/Dell/SOS/Resources/es-ES/bootres.dll.mui is not signed
etc etc
[root@my-dell ~]# sbctl verify | sed 's/✗ /sbctl sign -s /e'
Verifying file database and EFI images in /efi...
✓ Signed /efi/EFI/Boot/bootx64.efi
✓ Signed /efi/EFI/Dell/SOS/bootmgfw.efi
✓ Signed /efi/EFI/Dell/SOS/bootmgr.efi
✓ Signed /efi/EFI/Dell/SOS/bootx64.efi
✓ Signed /efi/EFI/Dell/SOS/memtest.efi
✓ Signed /efi/EFI/GRUB/grubx64.efi
✓ Signed /efi/EFI/Microsoft/Boot/bootmgfw.efi
✓ Signed /efi/EFI/Microsoft/Boot/bootmgr.efi
✓ Signed /efi/EFI/Microsoft/Boot/cbmr_driver.efi
✓ Signed /efi/EFI/Microsoft/Boot/memtest.efi
[root@my-dell ~]# sbctl sign -s /boot/vmlinuz-linux
✓ Signed /boot/vmlinuz-linux
[root@my-dell ~]# sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	66e317bb-50a1-4f75-a7ae-b6a0dfa59772
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft

I then enabled Secure Mode and disabled Custom Mode. Upon booting, the system went straight to Windows.
Then I disabled Secure Boot and booted into Arch Linux again.
After reboot with Secure Mode disabled:

[root@my-dell ~]# sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	66e317bb-50a1-4f75-a7ae-b6a0dfa59772
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	microsoft builtin-db builtin-db builtin-KEK builtin-PK

Do let me know if you need any more information. Thanks in advance for helping out!

Head_on_a_Stick · 2024-03-25 06:44:46

Will GRUB start with SecureBoot enabled if you copy grubx64.efi to /dev/nvme0n1p1@/EFI/Microsoft/Boot/bootmgfw.efi? Be sure to back up the original file first so you can restore it afterwards.

Some UEFI implementations place such a high priority on that file that no others will boot. More here: https://www.rodsbooks.com/efi-bootloade … ive-naming

ArchStruggler · 2024-03-25 07:48:09

No, that did not work. It still booted straight to Windows.

Does any file from /efi need to be copied to /boot?

Last edited by ArchStruggler (2024-03-25 07:50:58)

Head_on_a_Stick · 2024-03-25 18:01:53

The machine can't boot to Windows if you've over-written the bootloader

Please share the exact command(s) used to replace bootmgfw.efi.

Also check the firmware options for "3rd party" SecureBoot CA authorisation, similar to https://download.lenovo.com/pccbbs/mobi … re_PCs.pdf. Some machines need them explicitly enabled for Linux to be bootable under SecureBoot.

ArchStruggler · 2024-03-27 16:19:06

Head_on_a_Stick wrote:

The machine can't boot to Windows if you've over-written the bootloader hmm

That was my exact thought. But here is the output of what I ran

[root@my-dell ~]# rm -rf /efibkup/
[root@my-dell ~]# cp -R /efi /efibkup
[root@my-dell ~]# ls -al /efibkup/
total 20
drwxr-xr-x  5 root root 4096 Mar 27 21:35  .
drwxr-xr-x 19 root root 4096 Mar 27 21:35  ..
drwxr-xr-x  6 root root 4096 Mar 27 21:35  EFI
drwxr-xr-x  2 root root 4096 Mar 27 21:35 'System Volume Information'
drwxr-xr-x  4 root root 4096 Mar 27 21:35  grub
[root@my-dell ~]# cp /efi/EFI/GRUB/grubx64.efi /efi/EFI/Microsoft/Boot/bootmg
bootmgfw.efi  bootmgr.efi   
[root@my-dell ~]# cp /efi/EFI/GRUB/grubx64.efi /efi/EFI/Microsoft/Boot/bootmgfw.efi 
[root@my-dell ~]# ls -al /efi/EFI/GRUB/
total 156
drwxr-xr-x 2 root root   4096 Feb  6 11:01 .
drwxr-xr-x 6 root root   4096 Mar  7 21:33 ..
-rwxr-xr-x 1 root root 149624 Mar 25 09:57 grubx64.efi
[root@my-dell ~]# ls -al /efi/EFI/Microsoft/Boot/*.efi
-rwxr-xr-x 1 root root  149624 Mar 27 21:36 /efi/EFI/Microsoft/Boot/bootmgfw.efi
-rwxr-xr-x 1 root root 1686488 Mar 25 09:57 /efi/EFI/Microsoft/Boot/bootmgr.efi
-rwxr-xr-x 1 root root  142768 Mar 25 09:57 /efi/EFI/Microsoft/Boot/cbmr_driver.efi
-rwxr-xr-x 1 root root 1465824 Mar 25 09:57 /efi/EFI/Microsoft/Boot/memtest.efi

After enabling Secure Boot, it booted into Windows.
Is it possible that UEFI is pointing to some other file? Should I delete the Windows entry in UEFI and point it to this file?

Sorry I could not respond to you earlier, really appreciate your quick responses.

Last edited by ArchStruggler (2024-03-27 16:19:54)

Head_on_a_Stick · 2024-03-27 19:10:21

Don't worry about response time, I'm in no rush :-)

We can check the boot order and associated loaders with

efibootmgr -u

If you run the command from a Debian system add -v to see the loader locations (Arch's version prints that by default).

RWizard · 2024-03-28 04:31:47

Hello everyone and good afternoon,

#Please refer to the documentation in the systemd-boot WIKI section as this is only a representation of how i solved this issue.

I encountered the same issue as you did with enabling Secure Boot using GRUB. Despite trying various troubleshooting steps, I couldn't resolve it.

While there may be a solution to this, the workaround I found for this was to use a systemmd boot instead of grub. While grub works outside of uefi firmware bootctl makes the loader in the uefi firmware itself. I would advise you to refer the documentation because you may have to manually add this windows boot location as my approach has always been to install bootctl first and then install windows for it to automatically identify the windows installation, else you will have to manually write the boot entries because bootctl does not recognize os-prober like grub does.

Anyways just for reference, this was how i solved the secure boot issue using custom bootloader,

I created backup from timeshift just in case something goes wrong so i could mount the hard drive, chroot and restore the timeshift backup

>sudo pacman -S timeshift
I created a backup

>sudo pacman -R grub
>sudo pacman -S bootctl

>sudo nano /boot/loader/entries/customloader.conf

#please refer to adding loaders documentation in the wiki in systemd-boot
The customloader.conf looks like this:
title ArchLinux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx rw nvidia-drm.modeset=1

and i edited
>sudo nano /boot/loader/loader.conf

timeout 15 #i added this in the nano file so the timer allows you to switch OS

>default customloader.conf #make these changes permanent

Also I did go to the documentation for Signing for secure boot/pacman hook which can be another viable way to explore.
Then it seems going to Bios and enrolling could be an option which i will have to try in future myself.
I would again request and advise you to please refer the documentation in the wiki "Signing for secure boot/pacman hook"

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=securebootkey"

sudo sbsign --key MOK.priv --cert MOK.der --output /boot/efi/EFI/grub/grubx64.efi /boot/efi/EFI/grub/grubx64.efi

sudo nano /etc/pacman.d/hooks/99-sign-grub.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = grub

[Action]
Description = Signing GRUB files for Secure Boot
When = PostTransaction
Exec = /usr/bin/sbsign --key MOK.priv --cert MOK.der --output /boot/efi/EFI/grub/grubx64.efi /boot/efi/EFI/grub/grubx64.efi

>sudo chmod +x /etc/pacman.d/hooks/99-sign-grub.hook

Last edited by RWizard (2024-03-28 05:32:57)

ArchStruggler · 2024-04-02 03:15:56

Head_on_a_Stick wrote:

We can check the boot order and associated loaders with

Please find the output below

[root@my-dell ~]# efibootmgr -u
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,0003,0000,0001,0000
Boot0000* Uefi HTTPs Boot (PlaceHolder)	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(000000000000,0)/IPv4(0.0.0.0,0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)/Uri()걎脈鼑䵙຅᫢ⱒ뉙
Boot0001* UEFI RST PC711 NVMe SK hynix 512GB JACN49081050CA5Z 	HD(1,GPT,b6abf2fe-eab5-4d7d-9311-0679ba18089c,0x800,0x3cb000)/\EFI\Boot\BootX64.efi걎脈鼑䵙຅᫢ⱒ뉙
Boot0002* GRUB	HD(1,GPT,b6abf2fe-eab5-4d7d-9311-0679ba18089c,0x800,0x3cb000)/\EFI\GRUB\grubx64.efi
Boot0003* Windows Boot Loader	PciRoot(0x0)/Pci(0xe,0x0)/NVMe(0x1,AC-E4-2E-00-16-8F-7E-2A)/HD(1,GPT,b6abf2fe-eab5-4d7d-9311-0679ba18089c,0x800,0x3cb000)/\EFI\Boot\bootx64.efi
Boot0004* Windows Boot Manager	HD(1,GPT,da12a9e3-99e8-42e4-b00b-a2bfda4e7245,0x800,0x3ca000)/\EFI\Microsoft\Boot\bootmgfw.efi䥗䑎坏S
Boot0006* Windows	PciRoot(0x0)/Pci(0xe,0x0)/NVMe(0x1,AC-E4-2E-00-16-8F-7E-2A)/HD(1,GPT,b6abf2fe-eab5-4d7d-9311-0679ba18089c,0x800,0x3cb000)/\EFI\Boot\bootx64.efi
[root@my-dell ~]#

I think at some point in my installation (maybe after expanding the ESP) both Windows and GRUB vanished from the Boot sequence. Then I added them manually. Not sure if I made a mistake there. I don't recall which file I pointed WIndows to, but most probably it was bootx64.efi

ArchStruggler · 2024-04-02 03:18:39

RWizard wrote:

Please refer to the documentation in the systemd-boot WIKI section as this is only a representation of how i solved this issue.

Thanks much for providing an alternative to GRUB. I'd like to see if GRUB can work with secure boot and if not, I will definitely try what you have suggested.

Head_on_a_Stick · 2024-04-02 15:08:07

Looks like you have two EFI system partitions.

Can we see

blkid

ArchStruggler · 2024-04-05 16:36:08

[root@my-dell ~]# blkid
/dev/nvme0n1p7: LABEL="DELLSUPPORT" BLOCK_SIZE="512" UUID="2AD81FE0D81FA959" TYPE="ntfs" PARTUUID="1fb16e26-0ac8-4201-891c-120f4fd18afc"
/dev/nvme0n1p5: UUID="e38f5746-b3c5-431f-a9ed-77afb8df4cf2" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="Basic data partition" PARTUUID="2de8afcd-e95c-404d-871a-4d874a91360f"
/dev/nvme0n1p3: LABEL="OS" BLOCK_SIZE="512" UUID="5EDE1724DE16F3CD" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="41611ef2-cea7-4c41-9a8a-4c329e1c3651"
/dev/nvme0n1p1: UUID="F72B-7653" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="b6abf2fe-eab5-4d7d-9311-0679ba18089c"
/dev/nvme0n1p6: LABEL="WINRETOOLS" BLOCK_SIZE="512" UUID="8A9826F79826E185" TYPE="ntfs" PARTUUID="755270ec-5974-46ea-8d47-12b71a43fa41"
/dev/nvme0n1p4: UUID="ab5906a3-3a71-4098-95be-6defb5264c6d" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="Basic data partition" PARTUUID="50603624-7d10-4d23-92e5-d4c105798e0c"
/dev/nvme0n1p2: PARTLABEL="Microsoft reserved partition" PARTUUID="37caf8e6-1d03-4466-8ede-5701fbea104e"
[root@my-dell ~]#

Is there any boot log I can look at? Like what happens during secure boot?

Last edited by ArchStruggler (2024-04-05 16:40:07)

Head_on_a_Stick · 2024-04-05 22:48:14

The provided outputs don't make sense — they claim you are booted from grubx64.efi on /dev/nvme0n1p1 and the bootmgfw.efi Windows boot entry points to a non-existent EFI system partition. I'm stumped

Does your motherboard firmware have an option to view SecureBoot logs? I've never heard of such a thing.

ArchStruggler · 2024-04-09 17:28:13

The motherboard has BIOS Event logs, Thermal Event logs and Power Event logs. Nothing else. I think something got messed up when I expanded the ESP. The original entry for Windows in UEFI vanished at that time, and I added another one.

The blkid and efibootmgr commands were executed with me booted into grub, though insecurely.

Do you see any solution at all?

Arch Linux

#1 2024-03-23 18:06:31

GRUB does not launch after enabling Secure Boot

#2 2024-03-23 19:48:16

Re: GRUB does not launch after enabling Secure Boot

#3 2024-03-25 05:02:04

Re: GRUB does not launch after enabling Secure Boot

#4 2024-03-25 06:44:46

Re: GRUB does not launch after enabling Secure Boot

#5 2024-03-25 07:48:09

Re: GRUB does not launch after enabling Secure Boot

#6 2024-03-25 18:01:53

Re: GRUB does not launch after enabling Secure Boot

#7 2024-03-27 16:19:06

Re: GRUB does not launch after enabling Secure Boot

#8 2024-03-27 19:10:21

Re: GRUB does not launch after enabling Secure Boot

#9 2024-03-28 04:31:47

Re: GRUB does not launch after enabling Secure Boot

#10 2024-04-02 03:15:56

Re: GRUB does not launch after enabling Secure Boot

#11 2024-04-02 03:18:39

Re: GRUB does not launch after enabling Secure Boot

#12 2024-04-02 15:08:07

Re: GRUB does not launch after enabling Secure Boot

#13 2024-04-05 16:36:08

Re: GRUB does not launch after enabling Secure Boot

#14 2024-04-05 22:48:14

Re: GRUB does not launch after enabling Secure Boot

#15 2024-04-09 17:28:13

Re: GRUB does not launch after enabling Secure Boot

Board footer