[SOLVED] EFI stub kernel doesn't boot up

[g-virus]

Hello everyone!

I've been using Gentoo for a long time, installed without bootloaders to be able to boot directly from ESP partition. Everything has been working great and clear til a few days ago - I've bought a new computer and all the hardware has been changed. I've no idea what could exactly be changed, but now I cannot boot linux in EFI mode even I followed EFI stub article. My Gentoo doesn't start up and doesn't display anything, I cannot see any kind of information what's going on. I triple checked EFI entry with efibootmgr, tried both to set and not to set root= parameter in the entry, no changes. One more thing - I'm always using SystemRescue distro to install Gentoo, and in the latest version I found a good entry in their GRUB menu - "Boot a linux installed on a disk". That feature boots my Gentoo successfully. Please help me to figure out what's happening and how to fix it! thanks

Some extra info:

- VESA, NVIDIA and EFI framebuffers are set in Kernel
- Kernel is fresh and configured with make defconfig
- Intel Microcode is installed as well as linux-firmware
- NVIDIA driver is not installed yet
- /etc/fstab

Code: Select all

PARTUUID=c954a508-bb15-4aaa-adb0-78a12685caba	  /boot	vfat	noatime		1 2
PARTUUID=87b1159c-88d8-4643-b1f4-9313ba15e5b7	  /             ext4	noatime,discard	0 1

- root= parameter is set with PARTUUID as well
- boot partition is a FAT32 partition of 128 MiB and marked as bootable
- boot partition contains the only one file /boot/EFI/Gentoo/linux.efi
- Mainboard is ASUS Prime Z590-P with ASUS UEFI 2.21
- SecureBoot is set as Other OS with default keys, CSM is disabled
- efibootmgr -v

Code: Select all

BootCurrent: 0002
Timeout: 1 seconds
BootOrder: 0001,0000,0002
Boot0000* Windows Boot Manager	HD(1,GPT,4ef7c308-4a91-4efe-a7c7-0c900d21207c,0x800,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...3................
Boot0001* Gentoo Linux	HD(1,GPT,c954a508-bb15-4aaa-adb0-78a12685caba,0x1000,0x40000)/File(\EFI\Gentoo\linux.efi)
Boot0002* UEFI: Cion AP193 PENDRIVE 1.0, Partition 1	PciRoot(0x0)/Pci(0x14,0x0)/USB(7,0)/HD(1,GPT,ddc7c4d1-efcd-43a2-8f92-06474c6a168a,0x800,0x3dcfdf)..BO

Now root= parameter is set in Kernel built-in parameters

[mike155]

Your BIOS/UEFI probably has a built-in boot manager, which can be activated with a key (F8 on my Asus mainboard). Can you see your Gentoo EFI boot partition there? What happens if you select and start it? Do I understand correctly that absolutely nothing happens? Do you think that the kernel gets loaded and started at all?

Have you disabled secure boot in your BIOS/UEFI settings? What about the CSM? Is it enabled or disabled?

[g-virus]

Hi, mike155, thank you for your reply!

Yes, it is in the boot manager, I'm actually always select it manually because I have another disk for Windows and I don't have rEFInd. Yes, it's correct - absolutely nothing happens. CSM is disabled, but I've tried to enable and it didn't change anything. I don't think the kernel gets loaded, seems like EFI bootloader doesn't want to boot .efi file, because nothing happens at all, even the display doesn't blink once. To disable SecureBoot I have to delete PK key, I didn't try it because I think if SystemRescue USB stick gets loaded then my Gentoo could as well, but should I try?

[mike155]

To disable SecureBoot I have to delete PK key, I didn't try it because I think if SystemRescue USB stick gets loaded then my Gentoo could as well, but should I try?

Was Secure Boot enabled on your old machine? Is your kernel configured and installed so that it can work on a machine where Secure boot is enabled?

I have never worked with Secure Boot - but I would expect that a machine with Secure Boot enabled will not boot an unsigned kernel...

Do you really have to delete the keys in order to disable Secure Boot? There surely is a way to backup the keys, no?

[g-virus]

No, it wasn't. Yes it definitely shouldn't boot an unsigned kernel with SecureBoot enabled, but I deleted platform key and disabled secure boot now, enabled CSM and unfortunately it didn't help. Yes, on my asus mainboard I have to delete the key to set UEFI in setup mode, but I can recover them as well so it isn't a problem. I realized that UEFI could fallback to working entry (Windows 11) in case the entry I've chosen can't boot up, but it doesn't. Why does it stuck and doesn't fallback? Can be there a freeze in the Kernel? I can notice a blink of my keyboard backlit so maybe the Kernel just boots up, but can't display via DisplayPort?

[mike155]

Please post your kernel config using wgetpaste.

Which CPU do you have?

[pietinger]

I can confirm that your UEFI contains a correct boot entry for your "linux.efi".

Please check:

1. BIOS:
- SecureBoot must be disabled
- CSM must be DISABLED

2. Kernel Konfig:
You should (must) have this for UEFI (at minimum; maybe you have additional command line parameters):

Code: Select all

Firmware Drivers  --->
EFI (Extensible Firmware Interface) Support  --->
   [*] EFI Variable Support via sysfs

[*] Enable the block layer --->
Partition Types --->
   [*] Advanced partition selection
   [*] EFI GUID Partition support

File systems --->
DOS/FAT/NT Filesystems  --->
   [*] MSDOS fs support
   [*] VFAT (Windows-95) fs support
Native Language support --->
   [*] NLS ISO 8859-1  (Latin 1; Western European Languages)
   
Processor type and features  --->
[*] EFI runtime service support 
[*]   EFI stub support
[*] Built-in kernel command line
(root=PARTUUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ro) Built-in kernel command string
[*]   Built-in command line overrides boot loader arguments

(the last line is only for sure, because you can configure UEFI to give some command line parameters to your kernel; but I see in your "efibootmgr -v" there are no; its only to be absolute sure)

Some Mainboards need this (you didnt find it in our gentoo docs):

Code: Select all

Device Drivers -> Graphics Support -> Frame Buffer Devices ->
<*> Support for frame buffer devices --->
[*] EFI-based Framebuffer Support

Maybe this is the reason for your problem ...

3. In your fstab you didnt mount your /boot with the parameter "noauto". Then you must mount first your root-partition and then your boot-partition -> just switch the two lines. (but this comes later; its not the reason for your problem of not booting)

Double check if you have copied the correct kernel to your EFI-directory.

Check again if your ESP has the correct flags. I am using

Code: Select all

# parted /dev/sda p

You must have the flags: boot, esp



(If you want to do secure boot I recommend my own guide viewtopic-p-8492354.html#8492354 )

.

[g-virus]

mike155, my CPU is Core i7-11700K, kernel config is here.

pietinger, I checked that SecureBoot is disabled and CSM is disabled as well, also checked kernel and seems like all these parameters you have listed are checked. You can find my config attached above.

Code: Select all

g-virus@gentoo-pc ~ $ sudo parted /dev/sda p
Model: ATA Samsung SSD 870 (scsi)
Disk /dev/sda: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number  Start   End    Size   File system  Name  Flags
 1      2097kB  136MB  134MB  fat32        ESP   boot, esp
 2      136MB   500GB  500GB  ext4         root

I noticed Ctrl+Alt+Del shortcut is working and I'm able to reboot the system even I don't see anything on the display. And I definitely would like to use SecureBoot in my gentoo installation!

[mike155]

I still don't know whether your kernel starts at all. But let's assume it does.

In your kernel config, I see:

Code: Select all

CONFIG_DRM_I915 is not set

This option should be enabled. Firmware is also missing. Please follow the instructions at: https://wiki.gentoo.org/wiki/Intel.

You wrote your display is connected via DisplayPort. Can you try a different cable (VGA, DVI, HDMI)?

[pietinger]

Can you try a different cable (VGA, DVI, HDMI)?

I dont think there is a hardware problem, if @g-virus wrote in his first post that booting via RescueBoot is possible.

g-virus,

I also think your kernel starts, but you "only" have no screen. I saw in your kernel config other framebuffer-drivers enabled. Maybe there is a mismatch between them. You should have only the efi_fb and (for fallback) the simple_fb. Try to disable these:

Code: Select all

DISABLE THIS -> CONFIG_FB_VESA=y
OK ->           CONFIG_FB_EFI=y
# CONFIG_FB_N411 is not set
# CONFIG_FB_HGA is not set
# CONFIG_FB_OPENCORES is not set
# CONFIG_FB_S1D13XXX is not set
DISABLE THIS -> CONFIG_FB_NVIDIA=y
# CONFIG_FB_NVIDIA_I2C is not set
# CONFIG_FB_NVIDIA_DEBUG is not set
DISABLE THIS -> CONFIG_FB_NVIDIA_BACKLIGHT=y
# CONFIG_FB_RIVA is not set
# CONFIG_FB_I740 is not set
# CONFIG_FB_LE80578 is not set
# CONFIG_FB_INTEL is not set
# CONFIG_FB_MATROX is not set
# CONFIG_FB_RADEON is not set
# CONFIG_FB_ATY128 is not set
# CONFIG_FB_ATY is not set
# CONFIG_FB_S3 is not set
# CONFIG_FB_SAVAGE is not set
# CONFIG_FB_SIS is not set
# CONFIG_FB_NEOMAGIC is not set
# CONFIG_FB_KYRO is not set
# CONFIG_FB_3DFX is not set
# CONFIG_FB_VOODOO1 is not set
# CONFIG_FB_VT8623 is not set
# CONFIG_FB_TRIDENT is not set
# CONFIG_FB_ARK is not set
# CONFIG_FB_PM3 is not set
# CONFIG_FB_CARMINE is not set
# CONFIG_FB_SMSCUFX is not set
# CONFIG_FB_UDL is not set
# CONFIG_FB_IBM_GXT4500 is not set
# CONFIG_FB_VIRTUAL is not set
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
ENABLE THIS ->  # CONFIG_FB_SIMPLE is not set

Your config looks a little bit crude - is it a historical grown config (from one machine to the next machine) ?

You have many options enabled you really dont need ... or you dont use - on the other side you have many INSECURE settings. For this I recommend to visit this page: https://kernsec.org/wiki/index.php/Kern ... d_Settings



(If you have enaugh time, I recommend to do a complete new configuration, starting with the clean default configuration and only enabling options you really need)

[g-virus]

Omg, finally I got it working...

pietinger, you were right! There was a problem with FB. I suppose, for some reason EFI Framebuffer didn't work on my machine, or maybe there was a conflict with nvidia fb which I added for unknown reason >_< anyway, I did exactly what you told and now it works and even in native screen resolution! thank you very much for your ideas.

It is actually the default kernel configuration, I just made "make defconfig" and have disabled a couple of options. Could you point me what exactly is insecure?

mike155, I think intel's DRM is not necessary since I don't use Intel Graphics Card. I disabled it once I got the kernel working and it still works. Thank you for your help and assistance!

[pietinger]

Omg, finally I got it working... [...] thank you very much for your ideas.

My pleasure - you are welcome.

It is actually the default kernel configuration, I just made "make defconfig" and have disabled a couple of options. Could you point me what exactly is insecure?

Only one example - you have:

Code: Select all

CONFIG_MODIFY_LDT_SYSCALL=Y

I highly recommend to read the KSPP ...

... and after this take a look into /usr/src/linux/distro/Kconfig. Then take a look into our gentoo-setttings of your kernel config (->"make menuconfig" -> last line in main menu). Then you will see, we have two new options, you dont see NOW, because you have some options enabled. You will see the two new options only if some other options are disabled. Which ones ? This you will see in distro/Kconfig.

In other words: If you first disable all options recommended in KSPP, then you will have two new options. With these you can set all options which are also recommended in KSPP for enabling.


P.S.: Do you really use SELinux ? ->

Code: Select all

CONFIG_SECURITY_SELINUX=y

[g-virus]

Yes, I definitely don't use selinux . thank you for info, I will have a look at

[NeddySeagoon]

pietinger,

The 'z' toggle in menuconfig is your friend when you are looking for hidden options.
It works on any menu where 'z' is not a shortcut.

[pietinger]

Neddy,

thanks a lot and

many greetings,
Peter