SBUPDATE cannot open: /usr/share/systemd/bootctl/splash-arch.bmp

Well of course you didn’t have a success. sbupdate's default config is written for Arch, not Manjaro.
Refer to mine if you still want it working:

/etc/sbupdate
# Configuration file for sbupdate
#
# Commented-out variables show default values.

# Common settings
#
# KEY_DIR          Directory with the custom Secure Boot keys
# ESP_DIR          EFI System Partition location
# OUT_DIR          Relative path on ESP for signed kernel images
# SPLASH           Splash image file. Use "/dev/null" to disable splash.
# BACKUP           Whether to back up old signed kernel images
# EXTRA_SIGN       An array of additional files to sign
# CMDLINE_DEFAULT  Default kernel command line (REQUIRED)

#KEY_DIR="/var/lib/efikeys"
ESP_DIR="/efi"
OUT_DIR="EFI/Linux"
#SPLASH="/usr/share/systemd/bootctl/splash-manjaro.bmp"
SPLASH="/sys/firmware/acpi/bgrt/image"
#SPLASH="/dev/null"
BACKUP=0
EXTRA_SIGN=('/efi/EFI/BOOT/BOOTX64.EFI' '/efi/EFI/systemd/systemd-bootx64.efi')
CMDLINE_DEFAULT="tpmkey=/dev/sda1:/keyfile:0x81020001 tpmpcr=sha1:0,5,7 cryptdevice=UUID=b0e5b37c-75c7-4b81-bea6-52f9121f4304:cryptlvm:allow-discards ro quiet splash audit=0 apparmor=1 security=apparmor systemd.show_status=auto random.trust_cpu=on nmi_watchdog=0 snd_hda_codec_hdmi.enable_silent_stream=0 video=HDMI-1:1920x1080@70 video=DP-1:1920x1080@70 video=HDMI-A-1:1920x1080@70 rootfstype=ext4 root=/dev/reiwa/root resume=/dev/reiwa/swap"

CMDLINE["5.13-x86_64-nvidia"]="optimus-manager.startup=nvidia nvidia-drm.modeset=1 tpmkey=/dev/sda1:/keyfile:0x81020001 tpmpcr=sha1:0,5,7 cryptdevice=UUID=b0e5b37c-75c7-4b81-bea6-52f9121f4304:cryptlvm:allow-discards ro quiet splash audit=0 apparmor=1 security=apparmor systemd.show_status=auto random.trust_cpu=on nmi_watchdog=0 snd_hda_codec_hdmi.enable_silent_stream=0 video=HDMI-1:1920x1080@70 video=DP-1:1920x1080@70 video=HDMI-A-1:1920x1080@70 rootfstype=ext4 root=/dev/reiwa/root resume=/dev/reiwa/swap"

CMDLINE["5.13-x86_64-systemd"]="quiet splash audit=0 apparmor=1 security=apparmor systemd.show_status=auto random.trust_cpu=on nmi_watchdog=0 snd_hda_codec_hdmi.enable_silent_stream=0 video=HDMI-1:1920x1080@70 video=DP-1:1920x1080@70 video=HDMI-A-1:1920x1080@70 rootfstype=ext4 root=/dev/reiwa/root resume=/dev/reiwa/swap"

CONFIGS["5.10-x86_64"]="5.10-x86_64 5.10-x86_64-fallback"

#CONFIGS["5.13-x86_64"]="5.13-x86_64 5.13-x86_64-nvidia 5.13-x86_64-systemd"

# Per-kernel configuration
#
# For each kernel <NAME> the following optional settings may be added:
#
#   CMDLINE[<NAME>]="..."  # Alternative kernel command line
#                          # Default value: ${CMDLINE_DEFAULT}
#   INITRD[<NAME>]="..."   # Alternative initramfs file
#                          # Default value: /boot/initramfs-<NAME>.img
#
# Each kernel can be mapped to multiple configs using the CONFIGS
# variable, in which case CMDLINE and INITRD are set per config.
#
# Examples:
#   CMDLINE["linux-lts"]="custom command line"
#   INITRD["linux-lts"]="/boot/initramfs-linux-custom.img"
#
#   # Generates variants with default and fallback initramfs
#   CONFIGS["linux"]="linux linux-fallback"
#
# Note: Intel and AMD microcode updates are handled automatically and
# do not need to be specified in INITRD.

It doesn’t mean you need to just copy-paste. Read before you do.
I’m writing it because you blindly copy-pasted before from the how-to I referred to in another thread:

Thank you for the .conf file. It helped me better understand what to do. Actually, I read the article, and I was a bit lazy and saw that the flag was -subj for openssl and it was just a description so I did not change "/CN=sakaki's platform key/".
I have changed my .conf file to:

# Configuration file for sbupdate
#
# Commented-out variables show default values.

# Common settings
#
# KEY_DIR          Directory with the custom Secure Boot keys
# ESP_DIR          EFI System Partition location
# OUT_DIR          Relative path on ESP for signed kernel images
# SPLASH           Splash image file. Use "/dev/null" to disable splash.
# BACKUP           Whether to back up old signed kernel images
# EXTRA_SIGN       An array of additional files to sign
# CMDLINE_DEFAULT  Default kernel command line (REQUIRED)

KEY_DIR="/etc/efikeys"
#ESP_DIR="/boot"
OUT_DIR="EFI/Linux"
SPLASH="/usr/share/systemd/bootctl/splash-manjaro.bmp"
BACKUP=0
EXTRA_SIGN=('/boot/efi/EFI/Manjaro/grubx64.efi' '/boot/efi/EFI/boot/bootx64.efi')
CMDLINE_DEFAULT="quiet apparmor=1 security=apparmor udev.log_priority=3"

# Per-kernel configuration
#
# For each kernel <NAME> the following optional settings may be added:
#
#   CMDLINE[<NAME>]="..."  # Alternative kernel command line
#                          # Default value: ${CMDLINE_DEFAULT}
#   INITRD[<NAME>]="..."   # Alternative initramfs file
#                          # Default value: /boot/initramfs-<NAME>.img
#
# Each kernel can be mapped to multiple configs using the CONFIGS
# variable, in which case CMDLINE and INITRD are set per config.
#
# Examples:
#   CMDLINE["linux-lts"]="custom command line"
#   INITRD["linux-lts"]="/boot/initramfs-linux-custom.img"
#
#   # Generates variants with default and fallback initramfs
#   CONFIGS["linux"]="linux linux-fallback"
#
# Note: Intel and AMD microcode updates are handled automatically and
# do not need to be specified in INITRD.

and I still cannot enable secure boot.
These are all the files I have in efivars:

compound_db.auth   compound_KEK.esl  db.crt  KEK.auth  KEK.esl     old_dbx.auth  old_PK.esl  PK.crt
compound_db.esl    db.auth           db.esl  KEK.cer   KEK.key     old_dbx.esl   PK.auth     PK.esl
compound_KEK.auth  db.cer            db.key  KEK.crt   old_db.esl  old_KEK.esl   PK.cer      PK.key

Warning:

Generating and signing 5.13-x86_64-signed.efi
warning: data remaining[18243584 vs 18253587]: gaps between PE/COFF sections?
warning: data remaining[18243584 vs 18253592]: gaps between PE/COFF sections?
Signing Unsigned original image
Skipping already signed file /boot/efi/EFI/Manjaro/grubx64.efi
Skipping already signed file /boot/efi/EFI/boot/bootx64.efi

What do you mean you “cannot enable”? Did you just reboot after running sbupdate? That’s not gonna work.
I see you’re using grub. That’s your preferred choice right? So you need to change grub’s config to pick your kernels (in /boot/efi/EFI/Linux) instead of Grub’s default search location (/boot). But that’s a wrong way to do it. Instead, you can just issue something like sudo efibootmgr -c -d /dev/sda -p 1 -L "Manjaro, Linux 5.13" -l /EFI/Linux/5.13-x86_64-signed.efi -v to make a direct EFISTUB entry in UEFI boot order, where -l is followed by a relative path to the directory with your unified kernel image, -d stands for the device where $esp is located and -p indicates the number of partition that is set as $esp.
Or, even better, install systemd-boot and sign it instead of grub. Systemd-boot will auto-detect all unified kernels you have in /boot/efi/EFI/Linux and list them during pre-boot. To achieve the latter, just do sudo bootctl install and then edit /etc/sbupdate.conf in a way similar to mine, I mean this line:

EXTRA_SIGN=('/boot/efi/EFI/BOOT/BOOTX64.EFI' '/boot/efi/EFI/systemd/systemd-bootx64.efi')

Don’t forget to run sbupdate in order to sign systemd-boot efi binary.
However, this is not the end of the story yet.
If you have full disk encryption (I doubt but still), you cannot store your kernels on encrypted /boot, you simply won’t boot. This is why my $esp is mounted to /efi which is unencrypted.

But your issue might be another one: you haven’t enrolled those keys you generated and modified.
Now, (look at my question in the beginning of this post) if your last action was just running sbupdate after generating keys, then you need to reboot to UEFI settings, find Secure Boot settings, hit something like “Clear Secure Boot Keys”, reboot to Manjaro (this first boot will be in SecureBoot-less, so-called Setup mode), and then enroll your keys as described in the sakaki’s guide: original dbx first, then db (concatenated), then KEK (concatenated), and finally your own PK.

I think the problem lies with GRUB as I have encountered this problem while using sbctl. I have delete all the keys from bios and enrolled new PK, db, dbx, KEK.
After that when I enable secure boot it goes into grub rescue:

error: Verification Requested but nobody cares: (hd0,gpt2)/boot/grub/x86_64-efi/normal.mod
Entring Resue Mode....
grub resue>

I will be moving to systemd-boot and will hope this problem is solved. Thanks For the Patience and helpful answers.

Probably it is the culprit indeed. I recall some posts that were describing this exact behaviour after recent Grub updates. It has become too complex lately imho. Systemd-boot and efistub are way more simple to manage now.

1 Like

Oh, also I wanted to give one more advice: if your BIOS doesn’t have options for enrolling new key, just Enable/Disable switch and Clear/Load Default keys, you can install efitools, it has a tool called KeyTool, which is located at /usr/share/efitools/efi/KeyTool.efi, just copy that file to $esp/EFI/tools and don’t sign it, then create an entry in systemd-boot menu for it with just making a file $esp/loader/entries/keytool.conf with the following contents:

title	KeyTool
efi	/EFI/tools/KeyTool.efi

And when you will clear default keys using UEFI menu, do not boot to Manjaro, instead boot to KeyTool entry in systemd-boot menu, there you’ll be able to enroll all your keys (copy them to $esp beforehand). Enrolling PK should be the last step as it will enable SB again but with your keys already so pls load correct keys.

1 Like

Ok … I have an ASUS gaming Laptop that comes with a very convinient BIOS menu. So probable will not need this. Learning about systemd-boot. Its quite difficult to configure.

It’s the easiest bootloader if one uses what I suggested in my sbupdate config. All you need to do is:

  1. change /boot/efi in /etc/fstab to just /efi
  2. create /efi with sudo mkdir /efi
  3. re-mount your efi partition with sudo mount -a
  4. install systemd-boot files with sudo bootctl install
  5. now, assuming you have ESP_DIR="/efi" and EXTRA_SIGN=('/efi/EFI/BOOT/BOOTX64.EFI' '/efi/EFI/systemd/systemd-bootx64.efi') in your /etc/sbupdate, you can issue sudo sbupdate now
  6. add Keytool entry the way I told you before
  7. reboot and see systemd-boot menu with your kernels (if SB is disabled - or, if keys are already enrolled, with enabled SB).
  8. (optional) nuke grub it’s useless now
1 Like

I have installed systemd-boot and Secure boot has also started working. The only problem I was encountering before and now too is that I only get Reboot into firmware interface in systemd-boot menu. and from there I have to select grub and disable Secure Boot again as Grub does not work with SB. Can you please provide me with your systemd-boot configuration file? I think only that is missing now.
PS: I have not executed the 7th Step as it was not needed.
Entries that I made:

title   Manjaro
linux   /boot/vmlinuz-5.13-x86_64
initrd  /boot/amd-ucode.img
initrd  /boot/initramfs-5.13-x86_64.img
options quiet apparmor=1 security=apparmor udev.log_priority=3

That’s weird. Pls post the output of tree -L 3 /efi

➜  ~ sudo tree -L 3 /efi               
/efi
├── compound_db.auth
├── compound_db.esl
├── compound_KEK.auth
├── compound_KEK.esl
├── db.auth
├── db.cer
├── db.crt
├── db.esl
├── EFI
│   ├── Arch
│   │   └── 5.13-x86_64-signed.efi
│   ├── boot
│   │   └── bootx64.efi
│   ├── Linux
│   ├── Manjaro
│   │   └── grubx64.efi
│   └── systemd
│       └── systemd-bootx64.efi
├── KEK.auth
├── KEK.cer
├── KEK.crt
├── KEK.esl
├── loader
│   ├── entries
│   ├── loader.conf
│   └── random-seed
├── old_db.esl
├── old_dbx.auth
├── old_dbx.esl
├── old_KEK.esl
├── old_PK.esl
├── PK.auth
├── PK.cer
├── PK.crt
└── PK.esl

8 directories, 27 files

This might be also helpful:

➜  ~ sudo bootctl --esp-path=/efi --boot-path=/boot install
Block device node of "/boot" is invalid.
➜  /boot ls -al
total 49516
drwxr-xr-x 1 root root      256 Aug  6 14:05 .
drwxr-xr-x 1 root root      230 Aug  6 22:03 ..
-rw-r--r-- 1 root root    40960 Jul 20 00:46 amd-ucode.img
drwxr-xr-x 1 root root        0 Aug  6 14:01 efi
drwxr-xr-x 1 root root      112 Aug  6 14:08 grub
-rw------- 1 root root 32645550 Aug  6 14:04 initramfs-5.13-x86_64-fallback.img
-rw------- 1 root root  8324391 Aug  6 14:03 initramfs-5.13-x86_64.img
-rw-r--r-- 1 root root       21 Jul 26 13:12 linux513-x86_64.kver
drwxr-xr-x 1 root root       22 Jul 28 16:06 memtest86+
-rw-r--r-- 1 root root  9679904 Jul 28 16:06 vmlinuz-5.13-x86_64

EFI/Linux is empty, but it should be the place for your kernels generated by sbupdate. It is a directory which is being scanned by systemd-boot according to its specification. Not Arch. So pls edit your sbupdate.conf accordingly.
For the time being you can just do mv /efi/EFI/Arch/5.13-x86_64-signed.efi /efi/EFI/Linux/5.13-x86_64-signed.efi and reboot.

Option Came in Systemd-Boot. After selecting manjaro Linux, It shows me

mount: /new_root: wrong fs type, bad option, bad superblock on missing codepage or helper program , or other error. 
You are bieng dropped into emergency shell
[rootfs ]# 

Can you provide me your conf file in entries.
loader.conf

default manjaro.conf
timeout  4
console-mode max
editor   no

manjaro.conf in entries

title   Manjaro
linux   /boot/vmlinuz-5.13-x86_64
initrd  /boot/amd-ucode.img
initrd  /boot/initramfs-5.13-x86_64.img
options root=UUID=68c2ba15-8e82-4f8c-98a8-f030a3ee689e rootfstype=btrfs quiet apparmor=1 security=apparmor udev.log_priority=3
Boot Loader Entries:
        title: Manjaro
           id: manjaro.conf
       source: /efi/loader/entries/manjaro.conf
        linux: /boot/vmlinuz-5.13-x86_64 (No such file or directory)
       initrd: /boot/amd-ucode.img (No such file or directory)
               /boot/initramfs-5.13-x86_64.img (No such file or directory)
      options: root=UUID=68c2ba15-8e82-4f8c-98a8-f030a3ee689e rootfstype=btrfs quiet apparmor=1 security=apparmor udev.log_priority=3

        title: Manjaro Linux (default)
           id: 5.13-x86_64-signed.efi
       source: /efi/EFI/Linux/5.13-x86_64-signed.efi
        linux: EFI/Linux/5.13-x86_64-signed.efi
      options: quiet apparmor=1 security=apparmor udev.log_priority=3

In loader.conf change default manjaro.conf to default 5.13*efi.
Now you are defaulting to custom entry instead of auto-generated. For unified kernels you don’t need custom entries.

It didn’t work out. Same error.
Actually, In boot loader entries the second one is getting executed and not the first one with manjaro.conf because it cannot find linux and initrd (No such file or directory).
This is the ploblem i am facing, Here.

That’s exactly what is needed. If going this route, there should be no custom entries except for tools like KeyTool, Memtest or, say, Fwupd. So delete or move $esp/loader/entries/manjaro.conf from entries folder somewhere else. This will leave you with 1 option, which should be bootable. I didn’t get what you meant with “same error”, sorry. Basically if you had no problems booting with grub and a set of separated files (vmlinuz and initrds), then a binary generated by sbupdate should be bootable too. It just concatenates the above with cmdline and signs the resulting file. Try doing sudo mkinitcpio -P before doing sudo sbupdate, and don’t forget that sbupdate.conf should have OUT_DIR="EFI/Linux" before you run it, or you will have to move updated binary from your Arch folder again.
BTW you said you have manjaro.conf but I didn’t see that in the output of your tree command above. $esp/loader/entries folder seemed to be empty.

I have fixed grub by sudo grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=Manjaro --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm" --disable-shim-lock and Secure Boot works for now.

2 Likes

That’s great to know. Finally someone found a way to make Manjaro’s Grub work with SB.

2 Likes

I have been trying every scenario for boot to work so it might have been i had deleted the conf files and you must have asked for the tree command output.
It took me 5 Hours and reading many articles and at last, it worked. Here is the grub issue. Btw a big thank You.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.