| View previous topic :: View next topic |
| Author |
Message |
g-virus
Tux's lil' helper
Joined: 26 Aug 2017
Posts: 111
|
 Posted: Mon Oct 25, 2021 11:58 pm Post subject: [SOLVED] EFI stub kernel doesn't boot up |
 |
|
Hello everyone!
I've been using Gentoo for a long time, installed without bootloaders to be able to boot directly from ESP partition. Everything has been working great and clear til a few days ago - I've bought a new computer and all the hardware has been changed. I've no idea what could exactly be changed, but now I cannot boot linux in EFI mode even I followed EFI stub article. My Gentoo doesn't start up and doesn't display anything, I cannot see any kind of information what's going on. I triple checked EFI entry with efibootmgr, tried both to set and not to set root= parameter in the entry, no changes. One more thing - I'm always using SystemRescue distro to install Gentoo, and in the latest version I found a good entry in their GRUB menu - "Boot a linux installed on a disk". That feature boots my Gentoo successfully. Please help me to figure out what's happening and how to fix it! thanks
Some extra info:
- VESA, NVIDIA and EFI framebuffers are set in Kernel
- Kernel is fresh and configured with make defconfig
- Intel Microcode is installed as well as linux-firmware
- NVIDIA driver is not installed yet
- /etc/fstab
| Code: |
PARTUUID=c954a508-bb15-4aaa-adb0-78a12685caba /boot vfat noatime 1 2
PARTUUID=87b1159c-88d8-4643-b1f4-9313ba15e5b7 / ext4 noatime,discard 0 1
|
- root= parameter is set with PARTUUID as well
- boot partition is a FAT32 partition of 128 MiB and marked as bootable
- boot partition contains the only one file /boot/EFI/Gentoo/linux.efi
- Mainboard is ASUS Prime Z590-P with ASUS UEFI 2.21
- SecureBoot is set as Other OS with default keys, CSM is disabled
- efibootmgr -v
| Code: |
BootCurrent: 0002
Timeout: 1 seconds
BootOrder: 0001,0000,0002
Boot0000* Windows Boot Manager HD(1,GPT,4ef7c308-4a91-4efe-a7c7-0c900d21207c,0x800,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...3................
Boot0001* Gentoo Linux HD(1,GPT,c954a508-bb15-4aaa-adb0-78a12685caba,0x1000,0x40000)/File(\EFI\Gentoo\linux.efi)
Boot0002* UEFI: Cion AP193 PENDRIVE 1.0, Partition 1 PciRoot(0x0)/Pci(0x14,0x0)/USB(7,0)/HD(1,GPT,ddc7c4d1-efcd-43a2-8f92-06474c6a168a,0x800,0x3dcfdf)..BO
|
Now root= parameter is set in Kernel built-in parameters
_________________
"A computer is like air conditioning: it becomes useless when you open windows" - Linus Torvalds.
Last edited by g-virus on Tue Oct 26, 2021 11:03 pm; edited 1 time in total |
|
| Back to top |
|
 |
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Tue Oct 26, 2021 12:31 am Post subject: |
|
|
Your BIOS/UEFI probably has a built-in boot manager, which can be activated with a key (F8 on my Asus mainboard). Can you see your Gentoo EFI boot partition there? What happens if you select and start it? Do I understand correctly that absolutely nothing happens? Do you think that the kernel gets loaded and started at all?
Have you disabled secure boot in your BIOS/UEFI settings? What about the CSM? Is it enabled or disabled? |
|
| Back to top |
|
|
g-virus
Tux's lil' helper
Joined: 26 Aug 2017
Posts: 111
|
| Posted: Tue Oct 26, 2021 12:47 am Post subject: |
|
|
Hi, mike155, thank you for your reply!
Yes, it is in the boot manager, I'm actually always select it manually because I have another disk for Windows and I don't have rEFInd. Yes, it's correct - absolutely nothing happens. CSM is disabled, but I've tried to enable and it didn't change anything. I don't think the kernel gets loaded, seems like EFI bootloader doesn't want to boot .efi file, because nothing happens at all, even the display doesn't blink once. To disable SecureBoot I have to delete PK key, I didn't try it because I think if SystemRescue USB stick gets loaded then my Gentoo could as well, but should I try?
_________________
"A computer is like air conditioning: it becomes useless when you open windows" - Linus Torvalds. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Tue Oct 26, 2021 1:06 am Post subject: |
|
|
| g-virus wrote: | | To disable SecureBoot I have to delete PK key, I didn't try it because I think if SystemRescue USB stick gets loaded then my Gentoo could as well, but should I try? |
Was Secure Boot enabled on your old machine? Is your kernel configured and installed so that it can work on a machine where Secure boot is enabled?
I have never worked with Secure Boot - but I would expect that a machine with Secure Boot enabled will not boot an unsigned kernel...
Do you really have to delete the keys in order to disable Secure Boot? There surely is a way to backup the keys, no? |
|
| Back to top |
|
|
g-virus
Tux's lil' helper
Joined: 26 Aug 2017
Posts: 111
|
| Posted: Tue Oct 26, 2021 1:28 am Post subject: |
|
|
No, it wasn't. Yes it definitely shouldn't boot an unsigned kernel with SecureBoot enabled, but I deleted platform key and disabled secure boot now, enabled CSM and unfortunately it didn't help. Yes, on my asus mainboard I have to delete the key to set UEFI in setup mode, but I can recover them as well so it isn't a problem. I realized that UEFI could fallback to working entry (Windows 11) in case the entry I've chosen can't boot up, but it doesn't. Why does it stuck and doesn't fallback? Can be there a freeze in the Kernel? I can notice a blink of my keyboard backlit so maybe the Kernel just boots up, but can't display via DisplayPort?
_________________
"A computer is like air conditioning: it becomes useless when you open windows" - Linus Torvalds. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Tue Oct 26, 2021 1:44 am Post subject: |
|
|
Please post your kernel config using wgetpaste.
Which CPU do you have? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4156
Location: Bavaria
|
| Posted: Tue Oct 26, 2021 2:02 am Post subject: |
|
|
I can confirm that your UEFI contains a correct boot entry for your "linux.efi".
Please check:
1. BIOS:
- SecureBoot must be disabled
- CSM must be DISABLED
2. Kernel Konfig:
You should (must) have this for UEFI (at minimum; maybe you have additional command line parameters):
| Code: | Firmware Drivers --->
EFI (Extensible Firmware Interface) Support --->
[*] EFI Variable Support via sysfs
[*] Enable the block layer --->
Partition Types --->
[*] Advanced partition selection
[*] EFI GUID Partition support
File systems --->
DOS/FAT/NT Filesystems --->
[*] MSDOS fs support
[*] VFAT (Windows-95) fs support
Native Language support --->
[*] NLS ISO 8859-1 (Latin 1; Western European Languages)
Processor type and features --->
[*] EFI runtime service support
[*] EFI stub support
[*] Built-in kernel command line
(root=PARTUUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro) Built-in kernel command string
[*] Built-in command line overrides boot loader arguments |
(the last line is only for sure, because you can configure UEFI to give some command line parameters to your kernel; but I see in your "efibootmgr -v" there are no; its only to be absolute sure)
Some Mainboards need this (you didnt find it in our gentoo docs):
| Code: | Device Drivers -> Graphics Support -> Frame Buffer Devices ->
<*> Support for frame buffer devices --->
[*] EFI-based Framebuffer Support |
Maybe this is the reason for your problem ...
3. In your fstab you didnt mount your /boot with the parameter "noauto". Then you must mount first your root-partition and then your boot-partition -> just switch the two lines. (but this comes later; its not the reason for your problem of not booting)
Double check if you have copied the correct kernel to your EFI-directory.
Check again if your ESP has the correct flags. I am using
| Code: | | # parted /dev/sda p |
You must have the flags: boot, esp
(If you want to do secure boot I recommend my own guide https://forums.gentoo.org/viewtopic-p-8492354.html#8492354 )
. |
|
| Back to top |
|
|
g-virus
Tux's lil' helper
Joined: 26 Aug 2017
Posts: 111
|
| Posted: Tue Oct 26, 2021 12:19 pm Post subject: |
|
|
mike155, my CPU is Core i7-11700K, kernel config is here.
pietinger, I checked that SecureBoot is disabled and CSM is disabled as well, also checked kernel and seems like all these parameters you have listed are checked. You can find my config attached above.
| Code: |
g-virus@gentoo-pc ~ $ sudo parted /dev/sda p
Model: ATA Samsung SSD 870 (scsi)
Disk /dev/sda: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 2097kB 136MB 134MB fat32 ESP boot, esp
2 136MB 500GB 500GB ext4 root
|
I noticed Ctrl+Alt+Del shortcut is working and I'm able to reboot the system even I don't see anything on the display. And I definitely would like to use SecureBoot in my gentoo installation!
_________________
"A computer is like air conditioning: it becomes useless when you open windows" - Linus Torvalds. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Tue Oct 26, 2021 4:39 pm Post subject: |
|
|
I still don't know whether your kernel starts at all. But let's assume it does.
In your kernel config, I see:
| Code: | | CONFIG_DRM_I915 is not set |
This option should be enabled. Firmware is also missing. Please follow the instructions at: https://wiki.gentoo.org/wiki/Intel.
You wrote your display is connected via DisplayPort. Can you try a different cable (VGA, DVI, HDMI)? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4156
Location: Bavaria
|
| Posted: Tue Oct 26, 2021 6:19 pm Post subject: |
|
|
| mike155 wrote: | | Can you try a different cable (VGA, DVI, HDMI)? |
I dont think there is a hardware problem, if @g-virus wrote in his first post that booting via RescueBoot is possible.
g-virus,
I also think your kernel starts, but you "only" have no screen. I saw in your kernel config other framebuffer-drivers enabled. Maybe there is a mismatch between them. You should have only the efi_fb and (for fallback) the simple_fb. Try to disable these:
| Code: | DISABLE THIS -> CONFIG_FB_VESA=y
OK -> CONFIG_FB_EFI=y
# CONFIG_FB_N411 is not set
# CONFIG_FB_HGA is not set
# CONFIG_FB_OPENCORES is not set
# CONFIG_FB_S1D13XXX is not set
DISABLE THIS -> CONFIG_FB_NVIDIA=y
# CONFIG_FB_NVIDIA_I2C is not set
# CONFIG_FB_NVIDIA_DEBUG is not set
DISABLE THIS -> CONFIG_FB_NVIDIA_BACKLIGHT=y
# CONFIG_FB_RIVA is not set
# CONFIG_FB_I740 is not set
# CONFIG_FB_LE80578 is not set
# CONFIG_FB_INTEL is not set
# CONFIG_FB_MATROX is not set
# CONFIG_FB_RADEON is not set
# CONFIG_FB_ATY128 is not set
# CONFIG_FB_ATY is not set
# CONFIG_FB_S3 is not set
# CONFIG_FB_SAVAGE is not set
# CONFIG_FB_SIS is not set
# CONFIG_FB_NEOMAGIC is not set
# CONFIG_FB_KYRO is not set
# CONFIG_FB_3DFX is not set
# CONFIG_FB_VOODOO1 is not set
# CONFIG_FB_VT8623 is not set
# CONFIG_FB_TRIDENT is not set
# CONFIG_FB_ARK is not set
# CONFIG_FB_PM3 is not set
# CONFIG_FB_CARMINE is not set
# CONFIG_FB_SMSCUFX is not set
# CONFIG_FB_UDL is not set
# CONFIG_FB_IBM_GXT4500 is not set
# CONFIG_FB_VIRTUAL is not set
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
ENABLE THIS -> # CONFIG_FB_SIMPLE is not set |
Your config looks a little bit crude - is it a historical grown config (from one machine to the next machine) ?
You have many options enabled you really dont need ... or you dont use - on the other side you have many INSECURE settings. For this I recommend to visit this page: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
(If you have enaugh time, I recommend to do a complete new configuration, starting with the clean default configuration and only enabling options you really need) |
|
| Back to top |
|
|
g-virus
Tux's lil' helper
Joined: 26 Aug 2017
Posts: 111
|
| Posted: Tue Oct 26, 2021 11:03 pm Post subject: |
|
|
Omg, finally I got it working...
pietinger, you were right! There was a problem with FB. I suppose, for some reason EFI Framebuffer didn't work on my machine, or maybe there was a conflict with nvidia fb which I added for unknown reason >_< anyway, I did exactly what you told and now it works and even in native screen resolution! thank you very much for your ideas.
It is actually the default kernel configuration, I just made "make defconfig" and have disabled a couple of options. Could you point me what exactly is insecure?
mike155, I think intel's DRM is not necessary since I don't use Intel Graphics Card. I disabled it once I got the kernel working and it still works. Thank you for your help and assistance!
_________________
"A computer is like air conditioning: it becomes useless when you open windows" - Linus Torvalds. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4156
Location: Bavaria
|
| Posted: Wed Oct 27, 2021 12:56 am Post subject: |
|
|
| g-virus wrote: | | Omg, finally I got it working... [...] thank you very much for your ideas. |
My pleasure - you are welcome.
| g-virus wrote: | | It is actually the default kernel configuration, I just made "make defconfig" and have disabled a couple of options. Could you point me what exactly is insecure? |
Only one example - you have:
| Code: | | CONFIG_MODIFY_LDT_SYSCALL=Y |
I highly recommend to read the KSPP ...
... and after this take a look into /usr/src/linux/distro/Kconfig. Then take a look into our gentoo-setttings of your kernel config (->"make menuconfig" -> last line in main menu). Then you will see, we have two new options, you dont see NOW, because you have some options enabled. You will see the two new options only if some other options are disabled. Which ones ? This you will see in distro/Kconfig.
In other words: If you first disable all options recommended in KSPP, then you will have two new options. With these you can set all options which are also recommended in KSPP for enabling.
P.S.: Do you really use SELinux ? ->
| Code: | | CONFIG_SECURITY_SELINUX=y |
|
|
| Back to top |
|
|
g-virus
Tux's lil' helper
Joined: 26 Aug 2017
Posts: 111
|
| Posted: Wed Oct 27, 2021 10:44 pm Post subject: |
|
|
Yes, I definitely don't use selinux  . thank you for info, I will have a look at
_________________
"A computer is like air conditioning: it becomes useless when you open windows" - Linus Torvalds. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54244
Location: 56N 3W
|
| Posted: Thu Oct 28, 2021 7:22 am Post subject: |
|
|
pietinger,
The 'z' toggle in menuconfig is your friend when you are looking for hidden options.
It works on any menu where 'z' is not a shortcut.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4156
Location: Bavaria
|
| Posted: Thu Oct 28, 2021 7:30 am Post subject: |
|
|
Neddy,
thanks a lot and
many greetings,
Peter |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
