You are not logged in.

#1 2023-03-17 11:32:08

Gravydigger
Member
Registered: 2023-03-17
Posts: 9

[SOLVED] Difficult implementing secure boot with GRUB

Hello,
After installing Arch, I've been trying to enable Secure Boot on my laptop. Using sbctl, I've managed to enroll the keys & sign the files needed for secure boot. However, as I am using GRUB, the wiki states that I need to include all of the necessary modules in the binary. Using the provided Ubuntu build script, I placed most of the modules (basic, platform-specific, and advanced) into /etc/profile as an enviroment variable.

From there, I ran the following command as root:

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules=${GRUB_MODULES}
grub-install: error: More than one install device?

I couldn't really find any useful information on what that error meant on Google, but I managed to figure out that it probably has to do something with how my $GRUB_MODULES enviroment variable is set. I assumed that I might have duplicate modules, but re-checking shows that each module is unique.

I'd appreciate some help about where I am going wrong.

Thanks!

Last edited by Gravydigger (2023-03-23 10:54:12)

Offline

#2 2023-03-17 23:14:41

espritlibre
Member
Registered: 2022-12-15
Posts: 126

Re: [SOLVED] Difficult implementing secure boot with GRUB

undo what you have done in /etc/profile and install grub like this:
don't copy paste! read the command...

# grub-install --target=x86_64-efi --efi-directory=/path/to/efi --bootloader-id=GRUB --modules="all_video boot btrfs cat and whatever else module you need" --sbat /usr/share/grub/sbat.csv

you need to run that command whenever grub is updated followed by:

# grub-mkconfig -o /boot/grub/grub.cfg

welcome to the forum

Last edited by espritlibre (2023-03-17 23:17:00)

Offline

#3 2023-03-18 02:03:10

Gravydigger
Member
Registered: 2023-03-17
Posts: 9

Re: [SOLVED] Difficult implementing secure boot with GRUB

Thanks for you reply!

I reverted my changes in /etc/profile add included all of the modules in the command line (all of the basic modules, as well as play, tpm, cryptodisk, luks, and lvm).

After updating grub and rebooting, I was able to get ino GRUB (yay), although it seems like I still needed to do some work (the border was replaced with ?).

I continued into Arch linux, only to have the following show up:

Loading Linux linux-lts ...
error: shim_lock protocol not found.
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...

I disabled Secure Boot and ran grub-install with --disable-shim-lock. It resulted with my laptop asking me which bootloader I want to load, but never actually entering said bootloader.

I then procceeded to install shim_signed and copied the corrosponding files into the boot bundle(not sure if thats the correct term), signed everything with sbctl, and tried again:

Loading Linux linux-lts ...
error: bad shim signature.
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...

As a sanity check, should I just follow the wiki and set up shim with a key, and stop using sbctl?

Thanks for dealing with my newbness ^^;

Offline

#4 2023-03-18 13:46:41

espritlibre
Member
Registered: 2022-12-15
Posts: 126

Re: [SOLVED] Difficult implementing secure boot with GRUB

Gravydigger wrote:

I disabled Secure Boot and ran grub-install with --disable-shim-lock. It resulted with my laptop asking me which bootloader I want to load, but never actually entering said bootloader.

you can undo that

you didn't follow the wiki and doing the things upside down now. using sbctl is fine, you skipped to set up shim properly
3.2.2.1 Set up shim
3.2.2.1.2 shim with key
3.2.2.1.3 shim with key and GRUB

since you already enrolled your keys with sbctl, double check if everything needed is signed with your keys. check your boot order with efibootmgr or in the bios, if you have followed everything correctly you should boot with the "Shim" nvram entry with secure boot enabled.

Gravydigger wrote:

Thanks for dealing with my newbness ^^;

everybody is doing something for the first time, no worries

Offline

#5 2023-03-23 10:53:08

Gravydigger
Member
Registered: 2023-03-17
Posts: 9

Re: [SOLVED] Difficult implementing secure boot with GRUB

Good news, Secure boot is now working!

After properly following the correct steps, and making sure I signed /boot/vmlinuz-linux-lts, GRUB is now properly working with secure boot!

Thank you espritlibre for helping me out, I've appreciated it! smile

Now, the only thing left to do is to get GRUB to use the unicode font...

Offline

#6 2023-06-24 11:20:55

folfgirl
Member
Registered: 2022-10-07
Posts: 2

Re: [SOLVED] Difficult implementing secure boot with GRUB

what was that command I am having a hard time with grub too?

Offline

#7 2023-06-24 11:56:57

Gravydigger
Member
Registered: 2023-03-17
Posts: 9

Re: [SOLVED] Difficult implementing secure boot with GRUB

folfgirl wrote:

what was that command I am having a hard time with grub too?

I'm assuming you mean the grub-install command?

The following post has the right command.

As for the modules argument, look at the wiki here and add the appropriate modules as needed, as stated by the wiki depending on your setup.
3.2.2.1.3 shim with key and GRUB
I also recommend reading the whole section on shim from the top to make sure you're not missing anything.

In the end, I decided to use systemd-boot, since I found setting it up with secure boot to be much easier compared to GRUB.

If you do need any more help, I'd recommend making your own seperate post, considering the last message sent here was 3 months ago.

Offline

#8 2023-06-25 00:49:01

folfgirl
Member
Registered: 2022-10-07
Posts: 2

Re: [SOLVED] Difficult implementing secure boot with GRUB

Gravydigger wrote:
folfgirl wrote:

what was that command I am having a hard time with grub too?

I'm assuming you mean the grub-install command?

The following post has the right command.

As for the modules argument, look at the wiki here and add the appropriate modules as needed, as stated by the wiki depending on your setup.
3.2.2.1.3 shim with key and GRUB
I also recommend reading the whole section on shim from the top to make sure you're not missing anything.

In the end, I decided to use systemd-boot, since I found setting it up with secure boot to be much easier compared to GRUB.

If you do need any more help, I'd recommend making your own seperate post, considering the last message sent here was 3 months ago.

thanks. I agree that systemd-boot is much easier.

Offline

Board footer

Powered by FluxBB