Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Grub2 Invalid signature error when multi-booting

  1. #1

    Default Grub2 Invalid signature error when multi-booting

    Hello all,
    I've run into a curious problem. I'm booting Windows 8, openSUSE 13.1, and Ubuntu 13.10 all with SECURE BOOT enabled and get the following error from grub2 when trying to boot Ubuntu

    error: /boot/vmlinuz-3.11.0-15-generic.efi.signed has invalid signature
    error: you need to load the kernel first

    Windows has its own drive, the linux distros are installed on the other. the EFI BOOT partition is on sda4 with windows, created when windows was installed first.
    YAST install of grub does the following: openSUSE boots fine, Windows boots fine, Ubuntu errors out. If I disable secure boot, everything works fine.

    I tried Ubuntu's grub2 installation, and it correctly booted all three OS's with secure boot enabled and disabled.

    I realize the short answer is to just use Ubuntu's grub installation, but openSUSE is the distro I prefer, and I really want to know why this is happening.
    Any help is greatly appreciated.

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,676
    Blog Entries
    3

    Default Re: Grub2 Invalid signature error when multi-booting

    Quote Originally Posted by garlicwonder View Post
    Hello all,
    I've run into a curious problem. I'm booting Windows 8, openSUSE 13.1, and Ubuntu 13.10 all with SECURE BOOT enabled and get the following error from grub2 when trying to boot Ubuntu

    error: /boot/vmlinuz-3.11.0-15-generic.efi.signed has invalid signature
    error: you need to load the kernel first
    I'm not sure how the signed kernel works. Presumably, the Ubuntu kernel is signed with a Ubuntu key, while the opensuse kernel is signed with an opensuse key. I'm not completely sure what is supposed to happen.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  3. #3

    Default Re: Grub2 Invalid signature error when multi-booting

    I was under the impression that a type of generic key is used for these distros. If that is incorrect I'm still wondering how ubuntu manages to boot suse but not vice-versa

  4. #4
    Join Date
    Sep 2012
    Posts
    7,102

    Default Re: Grub2 Invalid signature error when multi-booting

    Quote Originally Posted by garlicwonder View Post
    Hello all,
    I've run into a curious problem. I'm booting Windows 8, openSUSE 13.1, and Ubuntu 13.10 all with SECURE BOOT enabled and get the following error from grub2 when trying to boot Ubuntu

    error: /boot/vmlinuz-3.11.0-15-generic.efi.signed has invalid signature
    The problem is, each vendor signs kernel by own key. grub2 installed by vendor normally knows only keys of this vendor, so it cannot verify file signed by other vendor.

    Possible solutions are

    - use your systems's EFI boot manager to directly start Ubuntu bootloader.
    - configure grub2 to chainload Ubuntu bootmanager instead of attempting to boot its kernel directly. Currently there is no automatic way to do it, and I'm not sure to which extent it is possible. There is limited support for Windows bootloader ...
    - enroll Ubuntu key using openSUSE shim interface so it can directly verify signature

    I'm still wondering how ubuntu manages to boot suse but not vice-versa
    Please show Ubuntu grub.cfg. I'm interested too. Care to open bug report for openSUSE and post number here?

  5. #5

    Default Re: Grub2 Invalid signature error when multi-booting

    I will post ubuntus grub.cfg as soon as I have access to the system. I currently do have efi booting ubuntu grub, I just want suse to do it.

    your third option sounds interesting. I however have no clue how to enroll ubuntus key into opensuse. is there a resource available with some decent directions? many thanks

  6. #6
    Join Date
    Sep 2012
    Posts
    7,102

    Default Re: Grub2 Invalid signature error when multi-booting

    Quote Originally Posted by garlicwonder View Post
    I however have no clue how to enroll ubuntus key into opensuse. is there a resource available with some decent directions?
    This theoretically should be possible using mokutil directly from within OS; you may test it. Otherwise just start MokManager.efi (in \EFI\openSUSE\MokManager.ef) using grub2 or directly from within your system's boot menu if possible. You need to make keys available on EFI partition so MokManager can read them. See also https://en.opensuse.org/openSUSE:UEFI near the end.

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Grub2 Invalid signature error when multi-booting

    On 2014-02-21 08:06, arvidjaar wrote:

    > Possible solutions are


    > - configure grub2 to chainload Ubuntu bootmanager instead of attempting
    > to boot its kernel directly. Currently there is no automatic way to do
    > it, and I'm not sure to which extent it is possible. There is limited
    > support for Windows bootloader ...


    Can't grub be chainloaded from the custom config file? :-?

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,676
    Blog Entries
    3

    Default Re: Grub2 Invalid signature error when multi-booting

    Quote Originally Posted by garlicwonder View Post
    I was under the impression that a type of generic key is used for these distros.
    The distros use their own version of "shim.efi". They get Microsoft to sign that. Then "shim.efi" verifies the kernel signature, based on the distro's signing key. There's a utility MokManager where you can enroll additional signing keys. The documentation was not good when I last checked. If you can enroll the ubuntu signing key with MokManager, that would probably solve your problem.

    Quote Originally Posted by garlicwonder View Post
    If that is incorrect I'm still wondering how ubuntu manages to boot suse but not vice-versa
    It could have worked both ways with opensuse 12.3, but not with 13.1. With opensuse 12.3, it was possible to use secure-boot to load "shim.efi", and then to configure grub so that "shim.efi" did not check signatures of the kernels that it loaded. I'm guessing that ubuntu is doing that to load opensuse.

    That you could load a kernel, without checking its signature, was seen as a weakness in the secure-boot support. That weakness was fixed for opensuse 13.1, and now you can't do it. At some future time, Ubuntu may make the same fixes, and then Ubuntu won't be able to boot opensuse.

    Your possible solutions seem to be:
    1. Turn off secure-boot;
    2. Enroll the Ubuntu key with MokManager;
    3. Use the grub installed with Ubuntu to handle the booting;
    4. Create a chain-loader section of your grub configuration, so that the grub2-efi (from opensuse) chainloads to the grub2-efi installed by ubuntu, when loading ubuntu. I think you will have to hand-craft that section of the configuration. Use the way chainloading is setup for Windows as a guide.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  9. #9

    Post Re: Grub2 Invalid signature error when multi-booting

    Thanks for all the suggestions. I've tried chainloading ubuntu in the windows "style" but had no luck. Got a variety of errors including "invalid EFI file path" I'm still working on getting openSUSE to sign the ubuntu binary, but its not well documented or perhaps I am a bit daft. In any case, here is the ubuntu grub.cfg file as promised.

    Interesting thing I noted. When Ubuntu boots openSUSE, for a split second grub displays "INVALID SIGNATURE" but the OS continues to boot. I believe this may enforce what nrickert said about how Ubuntu does this successfully. If Ubuntu and other distros patch this, I forsee a bunch of posts for help. As we all know, multibooting is quite common for linux users and secure boot is making this extremely difficult.

    Code:
    #
    # DO NOT EDIT THIS FILE
    #
    # It is automatically generated by grub-mkconfig using templates
    # from /etc/grub.d and settings from /etc/default/grub
    #
    
    ### BEGIN /etc/grub.d/00_header ###
    if [ -s $prefix/grubenv ]; then
      set have_grubenv=true
      load_env
    fi
    set default="0"
    
    if [ x"${feature_menuentry_id}" = xy ]; then
      menuentry_id_option="--id"
    else
      menuentry_id_option=""
    fi
    
    export menuentry_id_option
    
    if [ "${prev_saved_entry}" ]; then
      set saved_entry="${prev_saved_entry}"
      save_env saved_entry
      set prev_saved_entry=
      save_env prev_saved_entry
      set boot_once=true
    fi
    
    function savedefault {
      if [ -z "${boot_once}" ]; then
        saved_entry="${chosen}"
        save_env saved_entry
      fi
    }
    
    function recordfail {
      set recordfail=1
      if [ -n "${have_grubenv}" ]; then if [ -z "${boot_once}" ]; then save_env recordfail; fi; fi
    }
    
    function load_video {
      if [ x$feature_all_video_module = xy ]; then
        insmod all_video
      else
        insmod efi_gop
        insmod efi_uga
        insmod ieee1275_fb
        insmod vbe
        insmod vga
        insmod video_bochs
        insmod video_cirrus
      fi
    }
    
    if [ x$feature_default_font_path = xy ] ; then
       font=unicode
    else
    insmod part_gpt
    insmod ext2
    set root='hd1,gpt4'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
    else
      search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
    fi
        font="/usr/share/grub/unicode.pf2"
    fi
    
    if loadfont $font ; then
      set gfxmode=auto
      load_video
      insmod gfxterm
      set locale_dir=$prefix/locale
      set lang=en_US
      insmod gettext
    fi
    terminal_output gfxterm
    if [ "${recordfail}" = 1 ]; then
      set timeout=-1
    else
      set timeout=10
    fi
    ### END /etc/grub.d/00_header ###
    
    ### BEGIN /etc/grub.d/05_debian_theme ###
    set menu_color_normal=white/black
    set menu_color_highlight=black/light-gray
    if background_color 44,0,30; then
      clear
    fi
    ### END /etc/grub.d/05_debian_theme ###
    
    ### BEGIN /etc/grub.d/10_linux ###
    function gfxmode {
        set gfxpayload="${1}"
        if [ "${1}" = "keep" ]; then
            set vt_handoff=vt.handoff=7
        else
            set vt_handoff=
        fi
    }
    if [ "${recordfail}" != 1 ]; then
      if [ -e ${prefix}/gfxblacklist.txt ]; then
        if hwmatch ${prefix}/gfxblacklist.txt 3; then
          if [ ${match} = 0 ]; then
            set linux_gfx_mode=keep
          else
            set linux_gfx_mode=text
          fi
        else
          set linux_gfx_mode=text
        fi
      else
        set linux_gfx_mode=keep
      fi
    else
      set linux_gfx_mode=text
    fi
    export linux_gfx_mode
    menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c83c72ba-a33e-48ef-a764-44a892a7962d' {
    recordfail
        load_video
        gfxmode $linux_gfx_mode
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='hd1,gpt4'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
        else
          search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
        fi
        linux    /boot/vmlinuz-3.11.0-15-generic.efi.signed root=UUID=c83c72ba-a33e-48ef-a764-44a892a7962d ro   quiet splash $vt_handoff
        initrd    /boot/initrd.img-3.11.0-15-generic
    }
    submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-c83c72ba-a33e-48ef-a764-44a892a7962d' {
        menuentry 'Ubuntu, with Linux 3.11.0-15-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.11.0-15-generic-advanced-c83c72ba-a33e-48ef-a764-44a892a7962d' {
        recordfail
            load_video
            gfxmode $linux_gfx_mode
            insmod gzio
            insmod part_gpt
            insmod ext2
            set root='hd1,gpt4'
            if [ x$feature_platform_search_hint = xy ]; then
              search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
            else
              search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
            fi
            echo    'Loading Linux 3.11.0-15-generic ...'
            linux    /boot/vmlinuz-3.11.0-15-generic.efi.signed root=UUID=c83c72ba-a33e-48ef-a764-44a892a7962d ro   quiet splash $vt_handoff
            echo    'Loading initial ramdisk ...'
            initrd    /boot/initrd.img-3.11.0-15-generic
        }
        menuentry 'Ubuntu, with Linux 3.11.0-15-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.11.0-15-generic-recovery-c83c72ba-a33e-48ef-a764-44a892a7962d' {
        recordfail
            load_video
            insmod gzio
            insmod part_gpt
            insmod ext2
            set root='hd1,gpt4'
            if [ x$feature_platform_search_hint = xy ]; then
              search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
            else
              search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
            fi
            echo    'Loading Linux 3.11.0-15-generic ...'
            linux    /boot/vmlinuz-3.11.0-15-generic.efi.signed root=UUID=c83c72ba-a33e-48ef-a764-44a892a7962d ro recovery nomodeset 
            echo    'Loading initial ramdisk ...'
            initrd    /boot/initrd.img-3.11.0-15-generic
        }
    }
    ### END /etc/grub.d/10_linux ###
    
    ### BEGIN /etc/grub.d/20_linux_xen ###
    
    ### END /etc/grub.d/20_linux_xen ###
    
    ### BEGIN /etc/grub.d/20_memtest86+ ###
    ### END /etc/grub.d/20_memtest86+ ###
    
    ### BEGIN /etc/grub.d/30_os-prober ###
    menuentry "Windows Boot Manager (UEFI on /dev/sda2)" --class windows --class os {
        insmod part_gpt
        insmod fat
        set root='hd0,gpt2'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2  24B0-7229
        else
          search --no-floppy --fs-uuid --set=root 24B0-7229
        fi
        chainloader /EFI/Microsoft/Boot/bootmgfw.efi
    }
    menuentry 'openSUSE 13.1 (x86_64)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
        insmod part_gpt
        insmod ext2
        set root='hd1,gpt2'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2  9f7aec37-99e2-46d3-a7ed-cbb72c887f42
        else
          search --no-floppy --fs-uuid --set=root 9f7aec37-99e2-46d3-a7ed-cbb72c887f42
        fi
        linux /boot/vmlinuz root=/dev/sdb2
        initrd /boot/initrd
    }
    submenu 'Advanced options for openSUSE 13.1 (x86_64)' $menuentry_id_option 'osprober-gnulinux-advanced-9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
        menuentry 'openSUSE 13.1 (x86_64) (on /dev/sdb2)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz--9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
            insmod part_gpt
            insmod ext2
            set root='hd1,gpt2'
            if [ x$feature_platform_search_hint = xy ]; then
              search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2  9f7aec37-99e2-46d3-a7ed-cbb72c887f42
            else
              search --no-floppy --fs-uuid --set=root 9f7aec37-99e2-46d3-a7ed-cbb72c887f42
            fi
            linux /boot/vmlinuz root=/dev/sdb2
            initrd /boot/initrd
    
        
        }
    }
    
    ### END /etc/grub.d/30_os-prober ###
    
    ### BEGIN /etc/grub.d/30_uefi-firmware ###
    menuentry 'System setup' $menuentry_id_option 'uefi-firmware' {
        fwsetup
    }
    ### END /etc/grub.d/30_uefi-firmware ###
    
    ### BEGIN /etc/grub.d/40_custom ###
    # This file provides an easy way to add custom menu entries.  Simply type the
    # menu entries you want to add after this comment.  Be careful not to change
    # the 'exec tail' line above.
    ### END /etc/grub.d/40_custom ###
    
    ### BEGIN /etc/grub.d/41_custom ###
    if [ -f  ${config_directory}/custom.cfg ]; then
      source ${config_directory}/custom.cfg
    elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
      source $prefix/custom.cfg;
    fi
    ### END /etc/grub.d/41_custom ###

  10. #10
    Join Date
    Sep 2012
    Posts
    7,102

    Default Re: Grub2 Invalid signature error when multi-booting

    Quote Originally Posted by garlicwonder View Post
    here is the ubuntu grub.cfg file

    Code:
    menuentry 'openSUSE 13.1 (x86_64)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
        linux /boot/vmlinuz root=/dev/sdb2
        initrd /boot/initrd
    }
    Unless Ubuntu has heavily patched grub2 the above performs traditional linux boot without checking signature. Currently de-facto standard across distributions is to use separate command (linuxefi) in case of secure boot, even though linuxefi itself is not part of upstream.

    Doing it as shown in grub.cfg defeats the purpose of secure boot entirely and actually is Ubuntu bug, not a feature.

    secure boot is making this extremely difficult.
    Security measures are not intended to make using computers easier, but more secure. This usually means imposing some restrictions on what you can do and how you can do it. Which rarely makes doing it easier.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •