Help needed to enable secure boot.

chomwitt · Yesterday 08:45:27

Distro: Devuan Daedalus

Enabling the secure boot from my motherboard's UEFI setup utility my PC can not boot.
Early in the booting , before i see the GRUB's menu, i see a error message from the UEFI
'Secure Boot violation , Invalid signature detected. Check secure policy in setup'.

Disabling 'secure boot' i can again boot as usual.

I posted my issue here because my first explanation i can think is that somehow my grub image
is not signed correctly.

But i see :

$ sudo dpkg -l | grep shim
ii  shim-helpers-amd64-signed                      1+15.7+1                                amd64        boot loader to chain-load signed boot loaders (signed by Debian)
ii  shim-signed:amd64                              1.39+15.7-1                             amd64        Secure Boot chain-loading bootloader (Microsoft-signed binary)
ii  shim-signed-common                             1.39+15.7-1                             all          Secure Boot chain-loading bootloader (common helper scripts)
ii  shim-unsigned

So how should i proceed?

s1mple · Yesterday 15:15:25

Does it boot? If it does the error could be because insmod is used in your grub.cfg. Using insmod has been disallowed for secure boot since grub version 2.06.

In case it does boot and you want to get rid of the warning, you could either comment out any use of insmod in grub.cfg or see if update-grub fixes it once booted in secure boot mode. Those insmod lines should not be necessary with the secure boot version of grub, as they should've been built into the bootloader instead.

s1mple · Yesterday 16:01:13

Here is a solution I've written down on my personal wiki, that I've used to fix a system.

The grub-efi-*-signed and shim-signed packages needs to be installed (usually enough with grub-efi). grub-install is using the GRUB_DISTRIBUTOR variable from /etc/default/grub to create the folder on the EFI partition and if a distributor id is missing it will default as grub and then grub will be unable to locate grub.cfg which is hardcoded to be in EFI/debian, grub-install will auto substitute devuan for debian.

/sys/firmware/efi should exist on a secureboot system. If /sys/firmware/efi/efivars is empty you need to mount it with this command mount -t efivars none /sys/firmware/efi/efivars. We then need to mount the broken system. The root partition mount /dev/sda2 /mnt and the EFI partition inside mount /dev/sda1 /mnt/boot/efi. You also need to mount some virtual filesystems.

mount /dev/ /mnt/dev
mount /dev/pts /mnt/dev/pts
mount /proc /mnt/proc
mount /sys /mnt/sys
mount /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars
mount /run /mnt/run

Then chroot into /mnt and reinstall grub

chroot /mnt
# installing just grub-efi might work
apt install grub-efi-amd64-signed shim-signed grub2-common
cp /usr/share/grub/default/grub /etc/default/grub
grub-install /dev/sda
update-grub

That should be it. Reboot.

Only the debian folder on the EFI partition is used for devuan.

chomwitt · Yesterday 18:46:12

@s1mple thanks for the reply.
- There is /sys/firmware/efi/efivars with dozen of efivars.
- mokutils report pm, kek and db keys.

Before i reinstall grub-efi i want to search a little more and understand : If my initial Daedalus installtion was uefi secure boot compatible (with the shim) why then uefi cant boot to grub ?

For context :

@Daedalus installation guide.

@ debian installation manual / 3.6.3. Systems with UEFI firmware

Last edited by chomwitt (Yesterday 20:59:26)

s1mple · Today 16:19:55

Before i reinstall grub-efi i want to search a little more and understand : If my initial Daedalus installtion was uefi secure boot compatible (with the shim) why then uefi cant boot to grub ?

Sounds like a smart thing to do.

If you can reach grub when doing a secure boot and you already have the signed packages installed, I'd try to comment out any use of insmod for the boot entry from within the grub shell. Those changes are not persistant. If it works you should be able to fix grub.cfg from within the booted system with update-grub.

I'm not on a secure boot system, so this is from memory, but as I remember it, the important thing is the location of the bootloader files and the grub.cfg the signed grub bootloader should read. Those come from the grub-efi-${arch}-signed and the shim-signed package. They need to be installed to the EFI partition in the EFI/debian folder. That is done by grub-installer, which I think does it based on the current system or can be forced with flags (fx. grub-install --uefi-secure-boot /dev/sdX). You can mount the EFI partition and have a look at what files are there.

The example from my wiki was from a livecd with secure boot enabled to fix an installed system. I don't remember the specifics, but a livecd that's able to boot in secure boot mode will come in very handy when fixing boot if anything goes wrong.

So what I'm saying is that, this would probably work on a normal boot, if commenting out insmod in the grub shell doesn't let you boot:

apt install grub-efi-amd64-signed shim-signed
grub-install --uefi-secure-boot /dev/sdX
update-grub

Of course replace /dev/sdX with your boot drive and if you're not on an x86_64 system with the appropriate signed grub package for the architecture.

It's also quite possible that there are a smarter way to move from an unsigned to a signed system ;)

The officially official Devuan Forum!

#1 Yesterday 08:45:27

Help needed to enable secure boot.

#2 Yesterday 15:15:25

Re: Help needed to enable secure boot.

#3 Yesterday 16:01:13

Re: Help needed to enable secure boot.

#4 Yesterday 18:46:12

Re: Help needed to enable secure boot.

#5 Today 16:19:55

Re: Help needed to enable secure boot.

Board footer