[arch-general] Use Grub with Preloader
Hi all, I was reinstalling Arch after an unlucky SDD wipe due to warranty. I reinstalled Arch and then proceeded to use Secure Boot via Preloader. I followed the steps at: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secur... But I got an error from Grub saying: *error: verification requested but nobody cares* I decided to re-create the Grub binary with the TPM module via *grub-install --target=x86_64-efi --efi-directory=ESP_DIR --modules="tpm" --bootloader-id=BOOTLOADER* But that didn't do the trick. Do I have to do something peculiar in order to make Grub to work? Bests, -- Giovanni Santini Telegram: @ItachiSan Github: https://github.com/ItachiSan LinkedIn: https://www.linkedin.com/in/giovanni-santini/ Facebook: https://fb.me/giovanni.santini
Hi --sbat=/usr/share/grub/sbat.csv --modules="all_video boot btrfs cat configfile cryptodisk echo efi_gop efi_uga efifwsetup efinet ext2 f2fs fat font gcry_rijndael gcry_rsa gcry_serpent gcry_sha256 gcry_twofish gcry_whirlpool gfxmenu gfxterm gzio halt hfsplus http iso9660 loadenv loopback linux lvm lsefi lsefimmap luks luks2 mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 pgp png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs zstd backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard" These options are used for SB and if you want to use Secure Boot you need to use standalone grub, cause it is not allowed to load modules in Secure Boot mode. greetings tpowa Am Sa., 26. Feb. 2022 um 19:24 Uhr schrieb Giovanni Santini via arch-general <arch-general@lists.archlinux.org>:
Hi all,
I was reinstalling Arch after an unlucky SDD wipe due to warranty.
I reinstalled Arch and then proceeded to use Secure Boot via Preloader.
I followed the steps at:
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secur...
But I got an error from Grub saying:
*error: verification requested but nobody cares*
I decided to re-create the Grub binary with the TPM module via
*grub-install --target=x86_64-efi --efi-directory=ESP_DIR --modules="tpm" --bootloader-id=BOOTLOADER*
But that didn't do the trick.
Do I have to do something peculiar in order to make Grub to work?
Bests,
-- Giovanni Santini
Telegram: @ItachiSan Github: https://github.com/ItachiSan LinkedIn: https://www.linkedin.com/in/giovanni-santini/ Facebook: https://fb.me/giovanni.santini
-- Tobias Powalowski Arch Linux Developer & Package Maintainer (tpowa) https://www.archlinux.org tpowa@archlinux.org St. Martin-Apotheke Herzog-Georg-Str. 25 89415 Lauingen https://www.st-martin-apo.de info@st-martin-apo.de
On Sat, Feb 26, 2022, 20:26 Tobias Powalowski via arch-general < arch-general@lists.archlinux.org> wrote:
Hi
--sbat=/usr/share/grub/sbat.csv --modules="all_video boot btrfs cat configfile cryptodisk echo efi_gop efi_uga efifwsetup efinet ext2 f2fs fat font gcry_rijndael gcry_rsa gcry_serpent gcry_sha256 gcry_twofish gcry_whirlpool gfxmenu gfxterm gzio halt hfsplus http iso9660 loadenv loopback linux lvm lsefi lsefimmap luks luks2 mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 pgp png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs zstd backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard"
These options are used for SB and if you want to use Secure Boot you need to use standalone grub, cause it is not allowed to load modules in Secure Boot mode. greetings tpowa
-- Tobias Powalowski Arch Linux Developer & Package Maintainer (tpowa) https://www.archlinux.org tpowa@archlinux.org
St. Martin-Apotheke Herzog-Georg-Str. 25 89415 Lauingen https://www.st-martin-apo.de info@st-martin-apo.de
Hey Tobias, Thanks for the input! Do I need to load all of those modules to make Grub happy? Also, do I need anything else than the correct `grub-install` command? I noticed in the UEFI SB ArchWiki it's mentioned to sign also the kernel. Bests, Giovanni
Hi all, On 2/26/22 20:26, Tobias Powalowski via arch-general wrote:
Hi
--sbat=/usr/share/grub/sbat.csv --modules="all_video boot btrfs cat configfile cryptodisk echo efi_gop efi_uga efifwsetup efinet ext2 f2fs fat font gcry_rijndael gcry_rsa gcry_serpent gcry_sha256 gcry_twofish gcry_whirlpool gfxmenu gfxterm gzio halt hfsplus http iso9660 loadenv loopback linux lvm lsefi lsefimmap luks luks2 mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 pgp png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs zstd backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard"
These options are used for SB and if you want to use Secure Boot you need to use standalone grub, cause it is not allowed to load modules in Secure Boot mode. greetings tpowa
I got everything up and running by rebuilding Grub with all the required modules. Do you believe my information would be good on the ArchWiki? As there is no section about Grub and Preloader. Bests, Giovanni
Hi, yes sure every verified working documented setup is good for others :) greetings tpowa Am Do., 3. März 2022 um 23:19 Uhr schrieb Giovanni Santini via arch-general <arch-general@lists.archlinux.org>:
Hi all,
On 2/26/22 20:26, Tobias Powalowski via arch-general wrote:
Hi
--sbat=/usr/share/grub/sbat.csv --modules="all_video boot btrfs cat configfile cryptodisk echo efi_gop efi_uga efifwsetup efinet ext2 f2fs fat font gcry_rijndael gcry_rsa gcry_serpent gcry_sha256 gcry_twofish gcry_whirlpool gfxmenu gfxterm gzio halt hfsplus http iso9660 loadenv loopback linux lvm lsefi lsefimmap luks luks2 mdraid09 mdraid1x minicmd net normal part_apple part_msdos part_gpt password_pbkdf2 pgp png reboot regexp search search_fs_uuid search_fs_file search_label serial sleep syslinuxcfg test tftp video xfs zstd backtrace chain tpm usb usbserial_common usbserial_pl2303 usbserial_ftdi usbserial_usbdebug keylayouts at_keyboard"
These options are used for SB and if you want to use Secure Boot you need to use standalone grub, cause it is not allowed to load modules in Secure Boot mode. greetings tpowa
I got everything up and running by rebuilding Grub with all the required modules.
Do you believe my information would be good on the ArchWiki? As there is no section about Grub and Preloader.
Bests,
Giovanni
-- Tobias Powalowski Arch Linux Developer & Package Maintainer (tpowa) https://www.archlinux.org tpowa@archlinux.org St. Martin-Apotheke Herzog-Georg-Str. 25 89415 Lauingen https://www.st-martin-apo.de info@st-martin-apo.de
participants (2)
-
Giovanni Santini
-
Tobias Powalowski