Kernel 5.15.89-1 is not built valid efi with the utility sbctl or objcopy ( Secure boot EFI )

darkprof · 28 January 2023 15:48

It is about creating a monolithic kernel as an EFI file. The file is created, but the motherboard BIOS refuses to run it. The sbsign refuses to sign such a file. If I replace the kernel, initramfs and versions sections in last efi, such file is signed, but it still won’t start. I am fine with version 5.15.85-1. MSI B450M PRO-VDH MAX.

stephane · 28 January 2023 17:58

recheck your EFI motherboard

darkprof · 29 January 2023 02:05

For me the option is to run only in UEFI mode with SecureBoot and with my own PK, KEK, db installed. I’m sorry, apparently I’m misunderstood here. I’m not trying to start the system on a new kernel, I’m just reporting an error. If I wrote somewhere wrong, please tell me where to do it.

stephane · 29 January 2023 08:04

see the wiki
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

darkprof · 30 January 2023 12:21

$ sudo sbctl bundle \
  --amducode /boot/amd-ucode.img \
  --splash-img /usr/share/systemd/bootctl/splash-manjaro.bmp \
  --cmdline /etc/kernel/cmdline \
  --efi-stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
  --esp /boot/efi \
  --initramfs /boot/initramfs-5.15-x86_64.img \
  --kernel-img /boot/vmlinuz-5.15-x86_64 \
  --os-release /usr/lib/os-release \
  --save /boot/efi/efi/manjaro/unsigned.efi

[sudo] password darkprof: 
Wrote EFI bundle /boot/efi/efi/manjaro/unsigned.efi

$ sudo sbctl sign --save -o /boot/efi/efi/manjaro/signed.efi /boot/efi/efi/manjaro/unsigned.efi
failed to parse key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:78 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} int @2

$ sudo sbsign --key /usr/share/secureboot/keys/db/db.key --cert /usr/share/secureboot/keys/db/db.pem --output /boot/efi/efi/manjaro/signed.efi /boot/efi/efi/manjaro/unsigned.efi
warning: data remaining[20203008 vs 20210367]: gaps between PE/COFF sections?
warning: data remaining[20203008 vs 20210368]: gaps between PE/COFF sections?
Enter PEM pass phrase:
Signing Unsigned original image

$ sudo sbctl verify
...
failed to verify file /boot/efi/efi/manjaro/signed.efi: /boot/efi/efi/manjaro/signed.efi: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: fail to read string table length: EOF
...

$ sudo sbverify --cert /usr/share/secureboot/keys/db/db.pem /boot/efi/efi/manjaro/signed.efi 
zsh: segmentation fault  sudo sbverify --cert /usr/share/secureboot/keys/db/db.pem

$ sudo ls -al /boot/efi/efi/manjaro/signed.efi
-rwx------ 1 root root 9936896 Jan 30 17:08 /boot/efi/efi/manjaro/signed.efi

$ sudo sbctl import-keys --db-key /usr/share/secureboot/keys/db/db.key --db-cert /usr/share/secureboot/keys/db/db.pem
invalid private key file

$ sudo sbsign --key /usr/share/secureboot/keys/db/db.key --cert /usr/share/secureboot/keys/db/db.pem --output /boot/efi/efi/manjaro/vmlinuz-5.15-x86_64.efi /boot/vmlinuz-5.15-x86_64
Enter PEM pass phrase:
Signing Unsigned original image

$ sudo sbverify --cert /usr/share/secureboot/keys/db/db.pem /boot/efi/efi/manjaro/vmlinuz-5.15-x86_64.efi
file is too small for DOS header
Can't open image /boot/efi/efi/manjaro/vmlinuz-5.15-x86_64.efi

I do not know why I do not like the key, so I can only show the sbsign and sbverify output

darkprof · 8 February 2023 16:12

Problem solved in kernel version 5.15.91

system · 11 February 2023 06:12

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.