You are not logged in.
First time posting here so hi to anybody reading this and thank you for your time
CPU = Amd 3600x
Motherboard = Asrock x570 phantom gaming 4
grub = grub 2:2.06.r297.g0c6c1aff2-1
kernel = 5.15.62-1-lts also have non lts kernel installed
So I was following the arch wiki secureboot guide and followed all of it - including Signing your own keys
https://wiki.archlinux.org/title/Unifie … ecure_Boot
However when I try to boot with secureboot enabled it just says as in title blocked by secureboot policy and drops me into grub rescue.
I assume i have signed the bootloader properly by the fact grub is booting.
Also my motherboard has a enroll EFI image function which gives me the filesystem and i navigated to the EFI directory and i believe enrolled the vmlinuz images.
I keep seeing shim mentioned is that required as in can grub boot initramfs images and everything else without it installed.
EDIT : commands and locations grub specific
Ran the command as cloverskull recommended fixed the problem
Note : If you have access to the system you can run the command from the running system and it doesn't alter your /etc/default/grub file that is used to generate /boot/grub/grub.cfg which isn't altered either.
However this will generate a new grub.efi entry under /boot/EFI/GRUB/ this will be unsigned and will need to be resigned to be accepted by secureboot.
Command run to fix
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm" --disable-shim-lock
Thanks Cloverskull
oh and yes shimlock disable is required i tried without it won't boot the system without that
Last edited by Fullsteam (2022-08-25 08:20:39)
Offline
Yeah, this is super annoying. I had to recently deal with this as well.
Chroot back in from the live environment and make sure to install the 'tpm' module when you install grub. In fact, I think grub should by default install this module.
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm" --disable-shim-lock*edit - It's not 100% clear to me what the default grub-install modules are, nor do I understand which of these modules actually are needed for secure boot. I also don't know if the --disable-shim-lock arg is needed here. Nevertheless, this "works for me" so am passing this info along.
I do think, however, that the wiki is a bit lacking here and I'd love to better understand these details so that I can update it. Additionally I think it would be useful for the archinstall script to use these args when installing grub.
Last edited by cloverskull (2022-08-25 04:29:18)
Offline
I'm glad this solved the problem for you. I've updated the GRUB Arch wiki page.
Offline
I tested commands in two cases.
Secure boot is working with commands below in my system.
without shim, with sbctl (* I didn't test without tpm module.):
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --modules="tpm" --disable-shim-lock with shim:
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB--modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm"Last edited by nowy (2022-08-26 02:09:54)
Offline
Interesting - perhaps the GRUB docs should have a more specific update in that case. Additionally it might make sense to call these details out on some of the secure boot specific pages.
I'd be curious to see how hard this is to implement with the archinstall script. My thinking is that now that Windows 11 requires secure boot, and assuming at least some subset of people will either want to dual boot with windows OR roll their own keys, maybe we should add some sort of choice during the install process.
Offline
Thanks! New user here and this was very helpful!
Offline
Thanks dude, that first command from OP worked great for me!
I was having a lot of struggle because I have an MSI B650 Gaming Wi-Fi Plus Motherboard and nothing was working, even from the official CachyOS documentation.
After running this, I just had to use SBCTL to sign that new loader, and finally it's working!
Offline