-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to sign my kernel, how do I sign my kernel modules and receiving an error with grub #210
Comments
Grub requires modules being built into the bootloader and not sideloaded, along with some different flags. Please check the ArchWiki or the documentation your distribution has on this. |
This error makes me think you have built your kernel without the required EFISTUB support. So effectively the kernel is not an EFI binary. But you need to check your distro and/or build options for that. |
I compiled my kernel without EFISTUB support indeed, because I load the kernel via grub and disable everything that I do not need in my kernel. For size, performance and security reasons. This should solve the issue of not being able to sign the kernel. Will I be required to sign my kernel modules too (will my system fully load if I do not sign my kernel modules)? |
Secure Boot and kernel module signing are two separate things. You machine will boot regardless of what you do. However if you enable lockdown mode, or build with But since you build your own kernel it will just be guess work on my end what you support and don't support. |
Thank you, I understand what I need to do here as I use the built-in key in the kernel for signing the kernel modules, which I will keep using then. |
I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct? |
Sounds correct. I don't use grub so you need to figure that our on your own. |
What is the boot manager that I should be using to easily be able to generate bundles (including kernel cmd line arugments; that's all I'd need. I don't even use a initramfs except for microcode). Does this happen to be systemd-boot (as this wouldn't be a problem, as I'm running gentoo with systemd). |
I just use systemd-boot and happy with that. You'll have to check if it fits your needs. |
Hello all,
I'm using a Lenovo ThinkPad P52 and I've recently created keys using sbctl create-keys and sbctl enroll-keys -m (to include the Microsoft certificate), but I'm still unable to use secure boot. Whenever I try to boot with Secure Boot enabled my system loads grub, but only a recovery shell. It doesn't load the full grub menu and only shows a grub recovery console with the message: Error: Prohibited by Secure Boot policy. Whenever I turn Secure Boot off I'm able to boot my system just fine.
I've signed my boot loader, but I'm unable to sign my kernel or kernel modules.
When I try to sign my kernel using sbctl sign -s I'm receiving the following error:
/boot/kernel-6.1.19-gentoo: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x5ea.
When I try to sign a kernel module using sbctl sign -s I'm receiving the following error:
/lib/modules/6.1.19-gentoo/video/nvidia-modeset.ko: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x457f
Signing my UEFI binaries (grubx64 and fwupdmgr.efi) went fine, but whenever I try to boot my system with sec
sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/grub/x86_64-efi/core.efi is signed
✓ /boot/grub/x86_64-efi/grub.efi is signed
✓ /boot/EFI/gentoo/fwupdx64.efi is signed
✓ /boot/EFI/gentoo/grubx64.efi is signed
sbctl status
Installed: ✓ sbctl is installed
Owner GUID: f17ccc60-5ec8-4ea4-8cba-2c1a7f622458
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
The text was updated successfully, but these errors were encountered: