| View previous topic :: View next topic |
| Author |
Message |
hktonky
n00b
Joined: 23 Apr 2022
Posts: 16
|
 Posted: Sun Mar 24, 2024 1:39 pm Post subject: Boot problem since new version grub 2.12 |
 |
|
Good morning
I have a problem since version 2.12 of grub.
I have been working for several years on a gentoo version installed on encrypted USB media and it works perfectly.
The classic principle is to add a line in the /etc/default/grub file to indicate to the system that the root is on a quit partition which must first be decrypted by a cryptsetup command:
GRUB_CMDLINE_LINUX="scandelay=3 quiet crypt_root=UUID=xxxxxxxxxxxxxxxxxx video.use_native_backlight=1 psmouse.proto=imps keymap=fr noresume dokeymap video=uvesafb:1366x768-32,mtrr:3,ywrap splash=verbose,theme:emerge-world radeon .audio=1 amdgpu.dc=1 rootfstype=ext4"
In the event of a kernel change, I operate the migration with the sequence of commands:
| Code: | zcat /proc/config.gz > /usr/src/linux/.config
make syncconfig
make modules_prepare
make
genkernel --luks --loglevel=5 initramfs
make modules_install
make install
|
Then I update the EFI grub with
| Code: | grub-mkconfig -o /boot/grub/grub.cfg
grub-mkstandalone --output=/boot/EFI/EFI/BOOT/bootx64.efi --format=x86_64-efi --modules="part_gpt part_msdos fat ext2 echo linux normal search search_fs_uuid loadenv minicmd luks crypto cryptodisk all_video lvm usb xfs cpio reboot sleep configfile password_pbkdf2 gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa" --pubkey=xxxx.pub --disable-shim-lock "/boot/grub/grub.cfg=/boot/grub/grub.cfg" "/boot/grub/grub. cfg.sig=/boot/grub/grub.cfg.sig" |
And finally I sign the BOOTX64.EFI with the correct keys to allow it to run with the secure LFI boot.
With grub version 2.06 and before it works perfectly
With the transition to version 2.12, BOOTX64.EFI is launched and the grub menu is displayed. I therefore think that the problem comes from the sequence with the initramfs previously responsible for decrypting the root partition with the entry of a password.
Once the menu line is chosen, an error message is displayed: "kernel must be loaded before"
I fixed the problem temporarily by disallowing the update to version 2.12.
But I fear that this temporary solution will lead to an upcoming blockage.
How can I find this possibility with version 2.12 of grub?
I test vith the recent 23 profile, it's exactly the same.
Thank you for your help.
[Moderator edit: added [code] tags to preserve output layout. -Hu] |
|
| Back to top |
|
 |
eeckwrk99
Apprentice
Joined: 14 Mar 2021
Posts: 163
Location: Gentoo forums
|
| Posted: Sun Mar 24, 2024 2:38 pm Post subject: |
|
|
After updating to 2.12, you should re-install GRUB with:
followed by
|
|
| Back to top |
|
|
hktonky
n00b
Joined: 23 Apr 2022
Posts: 16
|
| Posted: Sun Mar 24, 2024 9:15 pm Post subject: Boot problem since new version grub 2.12 |
|
|
Good evening
Sorry, it doesn't change anything. I always get the same mistake |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 368
|
| Posted: Tue Mar 26, 2024 5:21 pm Post subject: |
|
|
| Does it boot if you disable Secure Boot? |
|
| Back to top |
|
|
hktonky
n00b
Joined: 23 Apr 2022
Posts: 16
|
| Posted: Tue Mar 26, 2024 8:55 pm Post subject: Boot problem since new version grub 2.12 |
|
|
Good evening
The boot works perfectly if we deactivate the secure start. |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 368
|
| Posted: Wed Mar 27, 2024 5:21 pm Post subject: |
|
|
If it works with Secure Boot disabled, you can choose between disabling Secure Boot permanently or creating a correctly signed binary.
I think your Grub binary is missing some modules. I would start with
| Code: | | grep insmod /boot/grub/grub.cfg |
to see which modules are inserted and then update the
| Code: | | grub-mkstandalone ... |
command with the newly added modules. |
|
| Back to top |
|
|
hktonky
n00b
Joined: 23 Apr 2022
Posts: 16
|
| Posted: Wed Mar 27, 2024 9:03 pm Post subject: Boot problem since new version grub 2.12 |
|
|
Thank you for your help.
I checked the modules between version 2.06 which works and version 2.12.
They are exactly the same: none of them seem to be missing. |
|
| Back to top |
|
|
sMueggli
Guru
Joined: 03 Sep 2022
Posts: 368
|
| Posted: Thu Mar 28, 2024 5:16 pm Post subject: Re: Boot problem since new version grub 2.12 |
|
|
| hktonky wrote: | I checked the modules between version 2.06 which works and version 2.12.
They are exactly the same: none of them seem to be missing. |
That is strange because Grub 2.12 has at least one new module called bli (/boot/grub/x86_64-efi/bli.mod). And that module is also loaded by /boot/grub/grub.cfg on my system (caused by /etc/grub.d/25_bli script). |
|
| Back to top |
|
|
hktonky
n00b
Joined: 23 Apr 2022
Posts: 16
|
| Posted: Thu Mar 28, 2024 8:14 pm Post subject: Boot problem since new version grub 2.12 |
|
|
You are right.
The BLI module is loaded by the config file 25_xxxx in /etc/grub.d/
But whether this module is loaded or not doesn't change anything (I tried it in both cases) and that's the only difference between
the modules loaded by 2.12 and the ones loaded 2.06. |
|
| Back to top |
|
|
hktonky
n00b
Joined: 23 Apr 2022
Posts: 16
|
| Posted: Tue Apr 16, 2024 9:16 pm Post subject: Boot problem since new version grub 2.12 - Solved |
|
|
I finally found the solution.
The difference between GRUB 2.12 and GRUB 2.06 is that the kernel must be load by the EFI bootloader and not by GRUB directly.
It is therefore necessary to sign it with the key to the EFI Secureboot store.
But it is also necessary to sign the kernel with the GPG key used by GRUB (disable-shim-lock option used).
We therefore obtain the sequence of the following commands :
<grub-mkconfig -o /boot/grub/grub.cfg> to generate the grub.cfg file
<gpg --default-Key mykey --detach-sign grub.cfg> to sign the grub.cfg file
<grub-mkstandalone --output =/boot/efi/boot/bootx64.efi --format = x86_64 --efi-modules = "part_gpt part_msdos fat ext2 Linux normal Search Search_fs_uuid Loadenv minicmd luks cryptodisk all_video cpio reboot sleep bli configfile password_PBKDF2 gcry_sha256 gcry_sha512 gcry_dsa gcry_dsa" --pubkey =mykey.pub ---disable-shim-lock /boot/grub/grub.cfg=/boot/grub/grub.cfg grub.cfg.sig=/boot/grub/grub.cfg.sig> to generate the loader bootx64.efi
<sgsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output vmlinuz-6.8.5-gento-r1-x86_64 vmlinuz-6.8.5-gento-r1-x86_64> To sign the kernel with the keys to the EFI store
<gpg --default-key mykey --detach-sign vmlinuz-6.8.5-gento-r1-x86_64> To sign the kernel with the PGP key used by GRUB
(Be careful not to reverse the order of the last two lignes)
<cd /boot/efi/efi/boot
sbsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output bootx64.efi bootx64.efi> to finally sign the loader bootx64.efi with the keys to the EFI store.
It was this double signature of the kernel that I was missing. |
|
| Back to top |
|
|
|
Installing Gentoo
