Closed nvaert1986 closed 1 year ago
Foxboron
commented
1 year ago sbctl signs EFI executables, kernel modules uses a different method and something the tool doesn't support.
Grub requires modules being built into the bootloader and not sideloaded, along with some different flags. Please check the ArchWiki or the documentation your distribution has on this.
Foxboron
commented
1 year ago When I try to sign my kernel using sbctl sign -s I'm receiving the following error: /boot/kernel-6.1.19-gentoo: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x5ea.
This error makes me think you have built your kernel without the required EFISTUB support. So effectively the kernel is not an EFI binary. But you need to check your distro and/or build options for that.
nvaert1986
commented
1 year ago I compiled my kernel without EFISTUB support indeed, because I load the kernel via grub and disable everything that I do not need in my kernel. For size, performance and security reasons. This should solve the issue of not being able to sign the kernel. Will I be required to sign my kernel modules too (will my system fully load if I do not sign my kernel modules)?
Foxboron
commented
1 year ago Secure Boot and kernel module signing are two separate things. You machine will boot regardless of what you do.
However if you enable lockdown mode, or build with CONFIG_IMA_ARCH_POLICY, the kernel will demand signed modules. This can only be achieved by controlling the built-in key in the kernel or using a shim to load a MOK into the keyring of the kernel.
But since you build your own kernel it will just be guess work on my end what you support and don't support.
nvaert1986
commented
1 year ago Secure Boot and kernel module signing are two separate things. You machine will boot regardless of what you do.
However if you enable lockdown mode, or build with
CONFIG_IMA_ARCH_POLICY, the kernel will demand signed modules. This can only be achieved by controlling the built-in key in the kernel or using ashimto load a MOK into the keyring of the kernel.But since you build your own kernel it will just be guess work on my end what you support and don't support.
Thank you, I understand what I need to do here as I use the built-in key in the kernel for signing the kernel modules, which I will keep using then.
nvaert1986
commented
1 year ago When I try to sign my kernel using sbctl sign -s I'm receiving the following error: /boot/kernel-6.1.19-gentoo: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x5ea.
This error makes me think you have built your kernel without the required EFISTUB support. So effectively the kernel is not an EFI binary. But you need to check your distro and/or build options for that.
I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct?
Foxboron
commented
1 year ago I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct?
Sounds correct. I don't use grub so you need to figure that our on your own.
nvaert1986
commented
1 year ago I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct?
Sounds correct. I don't use grub so you need to figure that our on your own.
What is the boot manager that I should be using to easily be able to generate bundles (including kernel cmd line arugments; that's all I'd need. I don't even use a initramfs except for microcode). Does this happen to be systemd-boot (as this wouldn't be a problem, as I'm running gentoo with systemd).
Foxboron
commented
1 year ago I just use systemd-boot and happy with that. You'll have to check if it fits your needs.
Hello all,
I'm using a Lenovo ThinkPad P52 and I've recently created keys using sbctl create-keys and sbctl enroll-keys -m (to include the Microsoft certificate), but I'm still unable to use secure boot. Whenever I try to boot with Secure Boot enabled my system loads grub, but only a recovery shell. It doesn't load the full grub menu and only shows a grub recovery console with the message: Error: Prohibited by Secure Boot policy. Whenever I turn Secure Boot off I'm able to boot my system just fine.
I've signed my boot loader, but I'm unable to sign my kernel or kernel modules.
When I try to sign my kernel using sbctl sign -s I'm receiving the following error: /boot/kernel-6.1.19-gentoo: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x5ea.
When I try to sign a kernel module using sbctl sign -s I'm receiving the following error: /lib/modules/6.1.19-gentoo/video/nvidia-modeset.ko: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x457f
Signing my UEFI binaries (grubx64 and fwupdmgr.efi) went fine, but whenever I try to boot my system with sec
sbctl verify Verifying file database and EFI images in /boot... ✓ /boot/grub/x86_64-efi/core.efi is signed ✓ /boot/grub/x86_64-efi/grub.efi is signed ✓ /boot/EFI/gentoo/fwupdx64.efi is signed ✓ /boot/EFI/gentoo/grubx64.efi is signed
sbctl status Installed: ✓ sbctl is installed Owner GUID: f17ccc60-5ec8-4ea4-8cba-2c1a7f622458 Setup Mode: ✓ Disabled Secure Boot: ✗ Disabled Vendor Keys: microsoft