GRUB fails to load with shim and secure boot enabled

Hello everyone,

I have installed Manjaro 21 on a Surface Go with secure boot disabled as a dual boot system with Windows. To be able to use BitLocker on Windows (I don’t need to access the files from Manjaro because there is an additional SD card) I want to enable secure boot again. I followed the instructions for the linux-surface kernel on corresponding github page (linux-surface/linux-surface->wiki) and in the arch wiki (UEFI->Secure Boot->shim.
The MOK is created and I have a .crt, .cer and .key file. Then grubx64.efi is signed with the key as well as the default Manjaro linux kernel vmlinuz-5.10-x86_64. The certifacte is also added to MokManager.
If I check the signature with

$ sbverify --cert MOK.crt /boot/efi/EFI/Manjaro/grubx64.efi
Signature verification OK
$ sbverify --cert MOK.crt /boot/vmlinuz-5.10-x86_64
Signature verification OK

and mokutil --list-enrolled lists my key. The EFI entry is produced with efibootmgr --verbose --disk /dev/mmcblk0 --part 5 --create --label "Shim" --loader /EFI/Manjar/bootx64.efi.

If I activate secure boot, GRUB hangs in rescue mode with the following output:

error: verifcation requested but nobody cares: (hd0,gpt7)/boot/grub/x86_64/normal.mod
Entering rescue mode...
grub rescue>

When deactivating further validation of secure boot constraints (mokutil --disable-validation) and nevertheless activate secure boot in UEFI, booting with shim works. It seems like the GRUB modules are not signed or cannot be loaded.

Updating the GRUB configuration with sudo grub-mkconfig -o /boot/grub/grub.cfg did not help. If it was possible to activate secure boot only for Windows and skip the validation for linux it would be fine for the moment. Best solution was to make secure boot work for the whole device since it is very portable and this meens there are additional security concerns.

Looking forward for some suggestions from you!

not allowed to post links on here (maybe because I’m a new account?) so I’ll just copy my post from grub issue #60211 which describes exactly this problem as it seems to be an issue with grub (or maybe there is something missing from the arch wiki post about using your own keys without shim).

Adding the tpm module to the core-image via --modules=“tpm” on grub-install enabled me to get into grub without said error.

When selecting my signed kernel to boot I got an error stating “shim_lock protocol not found”.

After once again running grub-install, this time with both --modules=“tpm” and --disable-shim-lock I was able to successfully boot with enabled Secure Boot.

Still not really sure why tpm changes something in the first place and how to properly do it without shim.

1 Like

Same problem here, would like to try your method but which grub-install command did you use ? I tried grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --modules=“tpm” --disable-shim-lock but i have no efi partition in here

@theking2 If you’re so concerned about security you should’ve read the respective Arch wiki page on how to set up Secure Boot manually without asking questions and whining. It’s possible and doable on a per-user basis.

Honestly, this kind of arrogance is astonishing. Are you saying that the user shouldn’t expect a Distro which advertises itself as “user friendly” to not have some basic out of the box? Have you actually gone through the Arch Wiki and try to setup Secure Boot for GRUB 2.06 and realize it’s actually lacking some pretty important information regarding the latest update right now? Please, instead of talking trash, actually provide an answer, or if you don’t know it, don’t talk.

Most of the other major non-DIY distributions actually do support Secure Boot using Signed Shim by default. Just on the top of my head - Fedora, RHEL, openSUSE, SUSE, Debian, Ubuntu - they all support it. It is perfectly reasonable for a user to expect a distribution which seeks to provide an easy out-of-the-box experience to have such basic and common security measure enabled. After all, Manjaro isn’t Arch, is it?

As for the other posts by other users, a few things actually changed with GRUB 2.06 that I don’t see mentioned on the Arch wiki yet:

  1. It seems to expect to be chainloaded with shim to do secure boot by default. Thus, if you are trying to use your own keys (no shim and MOK involved), you need to add --disable-shim-lock to tell it to not use shim. Needless to say, do not add this flag if you are chainloading it with shim (with either signed-shim or shim you sign yourself). This is mentioned in the official GRUB documentation.

  2. GRUB 2.06 will no longer sideload modules like 2.04 does if Secure Boot is enabled. That means, you need to build grub using grub-install with all of the necessary modules before signing it. From forum posts, it seems that grub is using tpm.mod to perform verification. I have tested it on my Arch install and it does indeed seem to be the case (You will get “Verification requested but nobody cares” as soon as it tries to load the kernel without it). So, besure to add --modules=“tpm” when building your grub so that it can perform verification.

  3. One caveat to what I mentioned in 2. is that if you include the tpm.mod and enable the TPM module in your firmware, it will attempt to do Measured Boot as well. This may break things like grub-btrfs. The work around for this is to include the tpm.mod in your GRUB build but to disable the TPM module in your firmware.

I actually haven’t found a solution to have the TPM Module enabled while doing secure boot and not break grub-btrfs yet. Maybe I need to look into setting up measured boot? I would really appreciate it if someone could share some info about this issue as well :grinning_face_with_smiling_eyes:

Before taking about arrogance, consider this being your ignorance. Manjaro never claimed it is compatible with Secure Boot. To the contrary, all its developers always said they do not plan to support that. End of story.
It’s not that I disagree that Manjaro should support SB out of box, but it’s their choice, take it or leave it. Whining makes no sense.
That was my point when answering to the user who posted a flagged-as-offtop reply here. I never pretended I know the solution for this thread. But options exist anyway: nuke grub, install systemd-boot, sign it and kernel with your keys, automate this with hooks and forget about this hassle forever.

OP was looking for advice on his setup.
This is not a discussion on Manjaro’s Secure Boot support. Closing this thread.
I’ll leave the decision to reopen this to the other Moderators.