When I launch Ubuntu 20.04.1 (KDE) with Manjaro’s grub, I get the following errors :
EFI: Problem loading in-kernel X.509 certificate (-65)
ima: error communicating to tpm chip
ima: error communicating to tpm chip
ima: error communicating to tpm chip
ima: error communicating to tpm chip
ima: error communicating to tpm chip
This doesn’t happen when I use Ubuntu’s grub.
I use an IdeaPad L340. I’m not sure this is the right place to post this (the grub issue tracker, maybe?). Also, please tell me the info you need. I’m not on Manjaro right now, so I cannot give you versions, but it was up to date about two weeks ago, for reference.
Thanks for your help
Wollie
9 September 2020 19:29
2
Welcome at the forum!
Is Secure Boot disabled in your firmware?
Yes it is, otherwise Manjaro’s grub wouldn’t even boot.
Wollie
9 September 2020 19:45
4
I guess you need to change some setting in your firmware.
Check if you have something like Configuration->Onboard Devices and changed the Trusted Platform Module from Disabled to Enabled or otherwise around.
But first, better make yourself familar with that feature:
https://wiki.archlinux.org/index.php/Trusted_Platform_Module
About that, IIRC, the only relevant setting in the BIOS is Intel Platform Trust Technology (PTT), which has always been on.
Everything somewhat related to the issue :
dmesg output excerpt (couldn’t keep the colours in) :
[ 0.850026] Loading compiled-in X.509 certificates
[ 0.851445] Loaded X.509 cert 'Build time autogenerated kernel key: 9e1aeb581c5145b0cc48f50fdf6e09edec23120f'
[ 0.851464] zswap: loaded using pool lzo/zbud
[ 0.851527] Key type ._fscrypt registered
[ 0.851527] Key type .fscrypt registered
[ 0.856954] Key type big_key registered
[ 0.856957] Key type trusted registered
[ 0.859762] Key type encrypted registered
[ 0.859765] AppArmor: AppArmor sha1 policy hashing enabled
[ 0.861716] integrity: Loading X.509 certificate: UEFI:db
[ 0.861748] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 0.861748] integrity: Loading X.509 certificate: UEFI:db
[ 0.861761] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 0.861762] integrity: Loading X.509 certificate: UEFI:db
[ 0.861763] integrity: Problem loading X.509 certificate -65
[ 0.861778] Error adding keys to platform keyring UEFI:db
[ 0.864068] ima: Allocated hash algorithm: sha1
[ 0.879886] ima: Error Communicating to TPM chip
[ 0.895883] ima: Error Communicating to TPM chip
[ 0.911890] ima: Error Communicating to TPM chip
[ 0.927896] ima: Error Communicating to TPM chip
[ 0.943891] ima: Error Communicating to TPM chip
[ 0.959900] ima: Error Communicating to TPM chip
[ 0.975889] ima: Error Communicating to TPM chip
[ 0.991892] ima: Error Communicating to TPM chip
[ 1.011891] ima: No architecture policies found
[ 1.011910] evm: Initialising EVM extended attributes:
[ 1.011911] evm: security.selinux
[ 1.011912] evm: security.SMACK64
[ 1.011912] evm: security.SMACK64EXEC
[ 1.011913] evm: security.SMACK64TRANSMUTE
[ 1.011913] evm: security.SMACK64MMAP
[ 1.011913] evm: security.apparmor
[ 1.011914] evm: security.ima
[ 1.011914] evm: security.capability
[ 1.011915] evm: HMAC attrs: 0x1
$ grub-install -V
grub-install (GRUB) 2.04~manjaro
BIOS Settings:
Intel(R) Virtualization Technology [Enabled]
Intel (R) Hyper - Threading Technology [Enabled]
BIOS Back Flash [Disabled]
HotKey Mode [Disabled]
DPTF [Enabled]
System Performance Mode [Quiet]
Intel Platform Trust Technology [Enabled]
Secure Boot [Disabled]
Secure Boot Status Disabled
Platform Mode User Mode
Secure Boot Mode Standard