[SOLVED] Secure Boot: Auto signing grub's EFI image after update

black_dragon · 2025-04-22 22:28:35

Hi!
I've successfully enabled Secure Boot after installation:
1) Put Firware into Setup Mode
2) Generated and enrolled keys:

sbctl create-keys
sbctl enroll-keys -m -f

3) Installed grub

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --modules="tpm" --disable-shim-lock

4) Signed binaries

sbctl sign -s /efi/EFI/GRUB/grubx64.efi 
sbctl sign -s /boot/vmlinuz-linux
sbctl sign-all

Wiki says that sbctl includes pacman hook that should resign binaries. This is working for /boot/vmlinuz-linux (I checked by calling mkinitcpio -p linux), but I can't find any way to test grub's image auto signing. If I call grub-install, the new image is created but it's not signed. Same when I tried to reinstall grub with pacman.

Am I missing something? How grub's update is happening? Will it be signed?

Last edited by black_dragon (2025-04-23 14:35:38)

V1del · 2025-04-23 10:24:05

By default GRUB does not update at all unless you actively rerun the install command after which you need to sign again, the only time you really need to run that is if you intend to add new kernel params or so and the config format changed between versions. You could create your own hook that is ordered before the sbsign one to rerun grub-install and grub-mkconfig on GRUB updates. By default neither of those is happening and you'd use the same GRUB payload you started with since running grub-install the last time.

Also pacman hooks operate on pacman operations, mkinitcpio -p will not trigger those, but it was likely not necessary to copy vmlinuz-linux again.

Last edited by V1del (2025-04-23 10:26:18)

black_dragon · 2025-04-23 12:21:40

V1del wrote:

By default GRUB does not update at all unless you actively rerun the install command after which you need to sign again, the only time you really need to run that is if you intend to add new kernel params or so and the config format changed between versions. You could create your own hook that is ordered before the sbsign one to rerun grub-install and grub-mkconfig on GRUB updates. By default neither of those is happening and you'd use the same GRUB payload you started with since running grub-install the last time.
Also pacman hooks operate on pacman operations, mkinitcpio -p will not trigger those, but it was likely not necessary to copy vmlinuz-linux again.

I'm worried that at some point when I will be updating my Arch as usual, grub will be updated and I won't be able to boot because it isn't signed.
You are saying with confidence that won't happen?

V1del wrote:

Also pacman hooks operate on pacman operations, mkinitcpio -p will not trigger those, but it was likely not necessary to copy vmlinuz-linux again

It outputs:

  -> Running post hook: [sbctl]

I'm not sure about detauls but it looks like pacman hook is executed.

V1del · 2025-04-23 14:06:53

aah it ships a mkinitcpio hook as well, smart.

As for the GRUB assertion, currently the only thing that happens is printing an information for you to manually run those commands if needed ( a few years ago there was a regression in the config format and if your ran grub-mkconfig without also running a grub-install you had a config that couldn't be read by the old GRUB, but from what I've seen these circumstances are incredibly rare). I can of course not be 100% certain of the future, but the GRUB package has never automatically updated the GRUB payload in the last 13 years of me using Arch with GRUB as a bootloader, so if that is any indication it will very likely not happen (for that matter, afaik none of the bootloader packages you have available on Arch auto-update their payload, precisely because they are an important - yet seldomly in need of change part - of the boot process).

Note that the above doesn't necessarily hold for derivatives, as the regression mentioned only widely hit Endeavour OS users where grub-mkconfig got auto invoked.

You could also create e.g. a wrapper script for grub-install that invokes the necessary grub-install command and the sbsign command afterwards.

Last edited by V1del (2025-04-23 14:12:11)

black_dragon · 2025-04-23 14:35:11

I can of course not be 100% certain of the future, but the GRUB package has never automatically updated the GRUB payload in the last 13 years of me using Arch with GRUB as a bootloader, so if that is any indication it will very likely not happen (for that matter, afaik none of the bootloader packages you have available on Arch auto-update their payload, precisely because they are an important - yet seldomly in need of change part - of the boot process).

That's a strong justification, you reassured me Thanks!

I will mark the thread as resolved because I've finished my setup successfully and there is nothing to do, but I'm happy to hear other thoughts on the topic

Arch Linux

#1 2025-04-22 22:28:35

[SOLVED] Secure Boot: Auto signing grub's EFI image after update

#2 2025-04-23 10:24:05

Re: [SOLVED] Secure Boot: Auto signing grub's EFI image after update

#3 2025-04-23 12:21:40

Re: [SOLVED] Secure Boot: Auto signing grub's EFI image after update

#4 2025-04-23 14:06:53

Re: [SOLVED] Secure Boot: Auto signing grub's EFI image after update

#5 2025-04-23 14:35:11

Re: [SOLVED] Secure Boot: Auto signing grub's EFI image after update

Board footer