Gentoo - SecureBoot

Message

rsnfunky · Post by **rsnfunky** » Sun Sep 01, 2024 1:46 pm

Question: Howto get Secureboot functioning in Gentoo?

System Hard Disks:
1) NvMe: a) EFI Partition, b) C: Windows, c) Swap, d) Boot, e) Ubuntu root
2) SSD: a) EFI, b) Boot, c) Gentoo root

Process:
1) With Secure Boot 'on', installed windows-11 first and it was functioning
2) Then installed Ubuntu with Grub on Nvme, functioning again
3) Then Installed Gentoo with Grub on SSD
4) Changed my boot priority to SSD in UEFI BIOS

The secure boot is not functioning. I used Menuconfig to make kernel (Gentoo-sources), following the Gentoo install manual. Prepared the pem/der keys and signed the kernel installed in /boot etc...

Error Received:
1) Booting Gentoo from, Grub installed in SSD: "shim_lock protocol not found. Loading initial ramdisk... You need to load the kernel first"

2) Booting Windows from, Grub installed on SSD: "shim_lock protocol not found."

How to get the secure boot functioning with Gentoo?

PS: Before anyone askes why installed Ubuntu: I have a Ryzen 8700G and wanted to get ROCm functioning and official docs on AMD supported Ubuntu. It was not functioning on my system so installed Gentoo and its functioning here.

Child_of_Sun_24 · Post by **Child_of_Sun_24** » Sun Sep 01, 2024 5:01 pm

You need sys-boot/shim for this.
https://wiki.gentoo.org/wiki/Shim
https://wiki.gentoo.org/wiki/Secure_Boot
https://wiki.gentoo.org/wiki/Efibootmgr

With the Information of the posted links i was able to setup secure boot on my gentoo.

And this command should install grub with the needed modules to work with secure boot (When secure boot is enabled grub cannot load modules, these need to be static in the grub image)

Code: Select all

grub-install --efi-directory=/boot --boot-directory=/boot --bootloader-id Cracked.OS --disable-shim-lock --sbat=/usr/share/grub/sbat.csv --modules "boot.mod btrfs.mod cat.mod configfile.mod echo.mod efifwsetup.mod efinet.mod font.mod gettext.mod gzio.mod halt.mod help.mod jpeg.mod keystatus.mod loadenv.mod loopback.mod ls.mod lsefi.mod lsefimmap.mod lsefisystab.mod lssal.mod memdisk.mod minicmd.mod part_gpt.mod part_msdos.mod png.mod probe.mod reboot.mod regexp.mod search.mod search_fs_uuid.mod search_fs_file.mod search_label.mod sleep.mod smbios.mod squash4.mod test.mod true.mod video.mod xfs.mod iso9660.mod fat.mod chain.mod normal.mod linux.mod linux16.mod video.mod gfxmenu.mod gfxterm_background.mod gfxterm_menu.mod gfxterm.mod video_fb.mod efi_gop.mod efi_uga.mod video_fb.mod all_video.mod ntfs.mod"

And this is my grub.cfg, it could use more functions but i want to keep it simple:

Code: Select all

set timeout=30

loadfont unicode
set menu_color_normal=white/black
set menu_color_highlight=black/light-gray

menuentry "Gentoo" {
        set gfxpayload=keep
        linux   /vmlinuz-6.10.7-gentoo root=PARTUUID=197f3c03-eb46-479d-82a6-1a3a701500e7 ro init=/usr/lib/systemd/systemd rootfstype=btrfs rootflags=ssd,thread_pool=10,compress=zstd amd_pstate=guided cpufreq.scaling_governor=schedutil cpufreq.default_governor=schedutil crypt=0 passdev=none
}

menuentry 'Windows 11 x64' {
        search --no-floppy --fs-uuid --set=root 67D3-2C0E
        chainloader (${root})/EFI/Microsoft/Boot/bootmgfw.efi
}


menuentry 'Rescue' {
        set gfxpayload=keep
        linux /sysresccd/boot/x86_64/vmlinuz archisobasedir=sysresccd archisolabel=BOOT iomem=relaxed copytoram setkmap=de
        initrd /sysresccd/boot/intel_ucode.img /sysresccd/boot/amd_ucode.img /sysresccd/boot/x86_64/sysresccd.img
}

Post by **Nowa** » Mon Sep 02, 2024 6:39 am

The grub-install based approach outlined above will work fine. But for version 2.12-r5 there is a new somewhat simpler approach documented here: https://wiki.gentoo.org/wiki/Shim#GRUB

CaptainBlood · Post by **CaptainBlood** » Mon Sep 02, 2024 8:03 am

Very interesting links indeed!!!

Thks 4 ur attention, interest & support.