I have a Wake-on-LAN situation where I'd like GRUB to make a network request to decide "should I boot Windows?", perhaps by load_env (http,192.168.1.123)/grubenv
(so I can write that file just before waking the machine). Unfortunately the default Ubuntu-signed GRUB lacks modules such as http
and tftp
, and with Secure Boot on, it will refuse to load them from disk.
So I thought enrolling a MOK and signing a standalone version of GRUB would be a solution, but I'm getting a blue text-mode dialog that I believe comes from the shim, saying:
Verification failed: (0x1A) Security Violation
There are subsequent "Shim UEFI key management" dialogs through which I can enroll the hash of grubx64.efi
but weirdly having done that I still get the same result on the next boot, and the presented hash did not match a direct sha256sum
of grubx64.efi or any other file in /boot/efi
.
My MOK has "X509v3 Extended Key Usage: Code Signing, 1.3.6.1.4.1.311.10.3.6" i.e. does not have the "1.3.6.1.4.1.2312.16.1.2" ID like the distro-generated ones which would restrict it to kernel-module signing.
Here's what I did:
# cat >grub-initial.cfg <<EOF
search.fs_uuid [……/boot uuid……] root
set prefix=($root)/grub
configfile $prefix/grub.cfg
EOF
# MODULES="tpm part_gpt lvm ext2 fat chain linux efifwsetup \
efi_uga efi_gop efinet configfile normal gzio gfxterm ls cat \
test echo http gfxterm_background png gfxterm_menu gfxmenu \
sleep videoinfo gettext loadenv search luks password_pbkdf2 \
extcmd terminal play linuxefi search_fs_uuid search_label \
search_fs_file regexp reboot halt memdisk lsefi"
# grub-mkstandalone --compress=xz -O x86_64-efi -o grubx64.unsigned \
--install-modules="$MODULES" --modules="$MODULES" --themes="" \
--locales="en@quot" boot/grub/grub.cfg=grub-initial.cfg
# sbsign --key /etc/keys/MOK.priv --cert /etc/keys/MOK.pem \
--output grubx64.efi grubx64.unsigned
# mokutil --test-key /etc/keys/MOK.der
/etc/keys/MOK.der is already enrolled
# sbverify --cert /etc/keys/MOK.pem /boot/efi/EFI/bifrost/grubx64.efi
Signature verification OK
# mkdir /boot/efi/EFI/bifrost
# cp grubx64.efi /boot/efi/EFI/bifrost/
# cp /boot/efi/EFI/ubuntu/{shimx64.efi,mmx64.efi} /boot/efi/EFI/bifrost/
# efibootmgr -c -d /dev/nvme0n1p1 -L "bifrost auto select" -l "\EFI\bifrost\shimx64.efi"
# efibootmgr -v
[…]
Boot0001* bifrost auto select HD(1,GPT,[……ESP uuid……],0x800,0x82000)/File(\EFI\BIFROST\SHIMX64.EFI)
Boot0002* ubuntu HD(1,GPT,[……ESP uuid……],0x800,0x82000)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO
[…]
...and then reboot and manually choose the new boot entry, for now.
What I think is happening:
- When booting stock GRUB:
Boot0002
-> Ubuntu shim -> Ubuntu GRUB -> Linux or Windows - When booting local GRUB:
Boot0001
-> copy of Ubuntu shim -> rejects my GRUB but I don't know why
Possible theories:
- I'm somehow booting some other shim somewhere?
- The copied Ubuntu shim is trying to boot something other than the
grubx64.efi
next to it? - The copied Ubuntu shim is somehow expecting different keys from what
mokutil
is looking at? - …or, most likely, I've misunderstood something.