Grub_tpm_measure not found after uefi restore from backup

I turned on my computer and there was a message that efi boot got corrupted and is being restored from a backup. It took a few minutes and then system tried to boot again. Grub screen came up, default entry was selected, but boot failed with “grub_tpm_measure not found” after “Loading kernel 4.18…” line.

I’ve tried using Live rescue CD, chrooted into installed system and tried to run grub2-mkconfig. It printed a list of “Found linux image…” lines and then gave a warning: “Failed to connect to lvmetad. Falling back to device scanning. /dev/sdd: open failed: No medium found” but finished with “done” on the last line.

I don’t remember having any LVM on my computer, I don’t even know what it is. Rebooting still gives the same error message. I don’t think I have dev/sdd and “lsblk” shows all my partitions on /dev/sdb, as expected.

I’ve been following instructions here: https://doc.opensuse.org/documentation/leap/startup/html/book.opensuse.startup/cha.trouble.html#sec.trouble.data.recover.rescue

There’s a step there to check configuration of various grub2 related files but they look okay to me. What exactly should I be looking for there?

Any ideas?

This could have various causes: initrd not correctly built, grub not correctly reconfigured.
The /dev/sdd was probably the USB stick with the rescue system.

Please show, from the installed system:


cat /etc/fstab


sudo fdisk -l

localhost:/ # cat /etc/fstab
/dev/disk/by-id/ata-KINGSTON_SH103S3120G_50026B724116E2FB-part2 swap                 swap       defaults              0 0
/dev/disk/by-id/ata-KINGSTON_SH103S3120G_50026B724116E2FB-part3 /                    ext4       acl,user_xattr        1 1
/dev/disk/by-id/ata-KINGSTON_SH103S3120G_50026B724116E2FB-part1 /boot/efi            vfat       umask=0002,utf8=true  0 0
/dev/disk/by-id/ata-KINGSTON_SH103S3120G_50026B724116E2FB-part4 /home                ext4       acl,user_xattr        1 2
/dev/disk/by-id/ata-WDC_WD10EZEX-00BN5A0_WD-WMC3F1760357-part1 /Share               ext4       defaults              1 2

localhost:/ # sudo fdisk -l
Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 6F33C0FA-46DE-4CEC-B412-B52FC9823557

Device     Start        End    Sectors   Size Type
/dev/sda1   2048 1953523711 1953521664 931.5G Microsoft basic data


Disk /dev/sdb: 111.8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 6F152C37-4B0B-4432-8264-8E17C8246491

Device        Start       End   Sectors  Size Type
/dev/sdb1      2048    321535    319488  156M EFI System
/dev/sdb2    321536   4530175   4208640    2G Microsoft basic data
/dev/sdb3   4530176  63768575  59238400 28.3G Microsoft basic data
/dev/sdb4  63768576 234440703 170672128 81.4G Microsoft basic data


Disk /dev/loop0: 528.9 MiB, 554565632 bytes, 1083136 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop1: 3 GiB, 3257925632 bytes, 6363136 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes




Disk /dev/sdc: 7.5 GiB, 8053063680 bytes, 15728640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x35ffaf4e

Device     Boot   Start      End  Sectors  Size Id Type
/dev/sdc1  *         64  1271807  1271744  621M 17 Hidden HPFS/NTFS
/dev/sdc2       1271808  1302527    30720   15M ef EFI (FAT-12/16/32)
/dev/sdc3       1302528 15728639 14426112  6.9G 83 Linux

 

Of these, sdb3 is the system partition I use for chroot, sdb1 looks like my swap, and sdb3 is /home.

On boot, “grub_tpm_measure”, repeats twice, actually - after “Loading kernel” line and the again after “loading initrd”, and then the same set repeats for the second grub entry, which is the rescue copy of the system (I have only two choices in my grub). Then grub gives up with no further prompts or options.

About loading initrd - I think the message was actually about loading ramdisk. I’m sitting in chrooted rescue system right now and am this typing from memory. My memory is like a sieve, sometimes.

Post “efibootmgr -v” output. Is secure boot enabled?

localhost:/ # efibootmgr -v
BootCurrent: 0005
Timeout: 1 seconds
BootOrder: 0001,0000,0004,0005,0002,0003
Boot0000* opensuse    HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\opensuse\grubx64.efi)
Boot0001* opensuse-secureboot    HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\opensuse\shim.efi)
Boot0002* CD/DVD Drive     BBS(CDROM,,0x0)AMGOAMNO........o.H.L.-.D.T.-.S.T. .D.V.D.R.A.M. .G.H.2.4.N.S.B.0....................A...........................>..Gd-.;.A..MQ..L.C.K.E.W.3.1.5.A.4.4. .2. . . . . . . . ......AMBO
Boot0003* Hard Drive     BBS(HD,,0x0)AMGOAMNO........e.G.e.n.e.r.i.c. .S.t.o.r.a.g.e. .D.e.v.i.c.e. .0...0.0....................A.............................2..Gd-.;.A..MQ..L.0.0.0.0.0.0.0.0.0.0.0.0.0.6......AMBOAMNO........o.W.D.C. .W.D.1.0.E.Z.E.X.-.0.0.B.N.5.A.0....................A...........................>..Gd-.;.A..MQ..L. . . . .W. .-.D.M.W.3.C.1.F.6.7.3.0.7.5......AMBOAMNO........o.K.I.N.G.S.T.O.N. .S.H.1.0.3.S.3.1.2.0.G....................A...........................>..Gd-.;.A..MQ..L.0.5.2.0.B.6.2.7.1.4.6.1.2.E.B.F. . . . ......AMBOAMNO........Y.G.e.n.e.r.i.c. .F.l.a.s.h. .D.i.s.k. .8...0.7....................A.............................&..Gd-.;.A..MQ..L.7.D.5.2.D.6.E.0......AMBO
Boot0004* UEFI OS    HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\BOOT\BOOTX64.EFI)
Boot0005* UEFI: Generic Flash Disk 8.07    PciRoot(0x0)/Pci(0x1d,0x0)/USB(1,0)/USB(2,0)/HD(2,MBR,0x35ffaf4e,0x136800,0x7800)AMBO

Here “TPM” is probably referring to the “Trusted Platform Module”. Maybe check your BIOS/Firmware settings to see whether TPM is enabled.

I’m not sure that it even matters. I saw TPM message while booting, and they never caused a problem. I eventually enabled TPM in the BIOS and the messages went away. I think you need TPM for using “Bitlocker” in Windows.

In any case, once you get as far as loading a kernel, grub should not be involved. So perhaps loading the kernel was where the failure occurred.

I’ve tried using Live rescue CD, chrooted into installed system and tried to run grub2-mkconfig. It printed a list of “Found linux image…” lines and then gave a warning: “Failed to connect to lvmetad. Falling back to device scanning. /dev/sdd: open failed: No medium found” but finished with “done” on the last line.

As far as I know, you can ignore those “lvmetad” messages that show up when running “grub2-mkconfig.”

I don’t remember having any LVM on my computer, I don’t even know what it is. Rebooting still gives the same error message. I don’t think I have dev/sdd and “lsblk” shows all my partitions on /dev/sdb, as expected.

I’ve never had Windows on this machine and I couldn’t find any “tpm” options in BIOS.

If BIOS finds Grub and starts it, shouldn’t loading kernels and ramdisks be beyond BIOS responsibility already? As I said in the first message - it all happened after BIOS restored itsel from a backup. I don’t think that would have made any changes to the OS itself. Still, the OS needs to play nice with UEFI so some updating or reinstalling might be needed. Running grub2-makecfg didn’t help, is there anything else? New makeinitrd, perhaps?

I don’t remember now, but I think it’s possible that on the first install OpenSuse required some changes to default BIOS configuration. These might have been lost after restore.

My best guess is that EFI boot fails for whatever reason and it falls back to legacy BIOS boot which is outdated. Simply running “update-bootloader --reinit” may fix it. To check whether these entries are valid, post output of “lsblk --fs -o +PARTUUID” and “ls -lR /boot”.

Please try to explicitly select either “opensuse” or “opensuse-secureboot” in BIOS boot menu. Do you have the same error in both cases?

The message has nothing to do with TPM. It simply means loaded core.img does not match grub modules under /boot/grub2. As in OP case it should have used pre-built EFI image, the only explanation I have - either it failed back to generated grub image and it is old or it failed back to legacy BIOS boot and installed core.img is again too old.

Good news - after loading “safe defaults” in BIOS I can finally boot the system. Bad news - there are three bootable entries shown and the ones beginning with “secureboot” and “UEFI” still report the same “grub_tpm_measure” symbol as being not found. The third entry, the one that simply states the name of the hard disk, is bootable, however.

“ls -lR /boot” output (as run from chroot, before I booted system normally) is rather long so I pasted it here: SUSE Paste

From the booted system:

stan@linux-pwfe:~> sudo lsblk --fs -o +PARTUUID
[sudo] password for root:  
NAME FSTYPE LABEL UUID                                 MOUNTPOINT PARTUUID
sda                                                                
└─sda1
     ext4   Share efd7262e-901f-4027-b9c7-d5b2e2057f1f /Share     401e1e65-1bf7-4ade-90e6-61da1e4794e
9
sdb                                                                
├─sdb1
│    vfat         5757-968F                            /boot/efi  a65dbf51-bb68-4abf-8bf0-956302d7516
6
├─sdb2
│    swap         d828f00c-aef2-4b31-a18d-1ac36609289d [SWAP]     67baccf3-7b4f-429b-86ad-fb498771e33
3
├─sdb3
│    ext4         4a2f66b4-3519-4320-a6fb-dc44273d78d8 /          805ddda7-ad6a-4448-9b83-b2d9367773c
d
└─sdb4
     ext4         16487166-550d-4482-be46-97d4c377ad49 /home      95a943fb-7984-4692-82ae-59be80360a7
0
sr0 

“update-bootloader --reinit” doesn’t have any visible effect

Current “efibootmgr -v”, without rescue system USB stick plugged in:

stan@linux-pwfe:~> sudo efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0001,0000,0004,0002,0003
Boot0000* opensuse      HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\opensu
se\grubx64.efi)
Boot0001* opensuse-secureboot   HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EF
I\opensuse\shim.efi)
Boot0002* CD/DVD Drive  BBS(CDROM,,0x0)AMGOAMNO........o.H.L.-.D.T.-.S.T. .D.V.D.R.A.M. .G.H.2.4.N.S.
B.0....................A...........................>..Gd-.;.A..MQ..L.C.K.E.W.3.1.5.A.4.4. .2. . . . .
 . . . ......AMBO
Boot0003* Hard Drive    BBS(HD,,0x0)AMGOAMNO........e.G.e.n.e.r.i.c. .S.t.o.r.a.g.e. .D.e.v.i.c.e. .0
...0.0....................A.............................2..Gd-.;.A..MQ..L.0.0.0.0.0.0.0.0.0.0.0.0.0.6
......AMBOAMNO........o.W.D.C. .W.D.1.0.E.Z.E.X.-.0.0.B.N.5.A.0....................A.................
..........>..Gd-.;.A..MQ..L. . . . .W. .-.D.M.W.3.C.1.F.6.7.3.0.7.5......AMBOAMNO........o.K.I.N.G.S.
T.O.N. .S.H.1.0.3.S.3.1.2.0.G....................A...........................>..Gd-.;.A..MQ..L.0.5.2.
0.B.6.2.7.1.4.6.1.2.E.B.F. . . . ......AMBO
Boot0004* UEFI OS       HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\BOOT\B
OOTX64.EFI)

I can bump the bootable entry in BIOS to the top to have it loaded automatically without manually selecting it but that doesn’t solve secure boot problem.

try turning off secure boot
if that works reinstall grub with secure boot checked and then maybe you can boot with secure boot

Note IMO secure boot is security theater. If anything can change the boot stack it already owns the machine.

efibootmgr output lists five menu items; none of them begins with “secureboot”, at least as long as we can trust output. Please, provide photo of this menu, mark items that work and that do not work.

The third entry, the one that simply states the name of the hard disk, is bootable, however.
Well, if you mean entry “Hard Drive”, this is legacy boot. Does “efibootmgr -v” works from within booted system?

“ls -lR /boot” output (as run from chroot, before I booted system normally)
Please show /boot/efi/EFI/opensuse/grub.cfg.

efibootmgr -v", without rescue system USB stick plugged in:

Is it from system booted using menu entry with “name of hard disk”?

I meant this one:

“Boot0001* opensuse-secureboot HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\opensuse\shim.efi)”

It doesn’t boot

Please show /boot/efi/EFI/opensuse/grub.cfg.

set btrfs_relative_path=“yes”
search --fs-uuid --set=root 4a2f66b4-3519-4320-a6fb-dc44273d78d8
set prefix=(${root})/boot/grub2
source “${prefix}/grub.cfg”

Is it from system booted using menu entry with “name of hard disk”?

Yes.

I’ve played with boot mode options in BIOS, there is “UEFI and Legacy”, “Legacy Only”, and “UEFI only”. Depending on which one is set there’s a different list of choices presented on the “select which OS to boot” screen. The three main entries are always there, corresponding to these lines from efibootmgr:

  • Boot0001* opensuse-secureboot HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\opensuse\shim.efi)
  • Boot0004* UEFI OS HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\BOOT\BOOTX64.EFI)
  • Boot0000* opensuse HD(1,GPT,a65dbf51-bb68-4abf-8bf0-956302d75166,0x800,0x4e000)/File(\EFI\opensuse\grubx64.efi)

The first two never boot, the last one always boots - even if “boot mode” is set to “Legacy Only”.

I’m not sure what this line refers to on the boot selection screen itself:

“Boot0003* Hard Drive BBS(HD,0x0)AMGOAMNO…e.G.e.n.e.r.i.c. .S.t.o.r.a.g.e. .D.e.v.i.c.e. .0
…0.0…A…2…Gd-.;.A…MQ…L.0.0.0.0.0.0.0.0.0.0.0.0.0.6
…AMBOAMNO…o.W.D.C. .W.D.1.0.E.Z.E.X.-.0.0.B.N.5.A.0…A…
…>…Gd-.;.A…MQ…L. . . . .W. .-.D.M.W.3.C.1.F.6.7.3.0.7.5…AMBOAMNO…o.K.I.N.G.S.
T.O.N. .S.H.1.0.3.S.3.1.2.0.G…A…>…Gd-.;.A…MQ…L.0.5.2.
0.B.6.2.7.1.4.6.1.2.E.B.F. . . . …AMBO”

I suspect it appears as the “name of hard disk only” when legacy boot is allowed. Give me a few hours to explore all boot choices, take pictures of them, and mark what works and what doesn’t. Since changing boot mode in BIOS gives different lists posting them all with all their results could be overwhelming. Is it still necessary at this point?

Basically, when I hit F12 and get to that screen on boot, I differentiate the entries by keywords - “uefi”, “secureboot”, and “opensuse”. They are all followed by a long string of numbers and letters to indicate the same hard disk. There are other keywords like “dvdrom” or “generic device” and I skip over those if hard disk identification string is not the same. Occasionally, I also get a boot option that reads like “P1 ##harddiskstring##”. At this point I’m not sure if I ever tried booting it and I can’t test it without discarding this whole post.

Okay, tested “P1 ##harddiskstring##” and it doesn’t boot, but it fails with a different message, something like “insert proper boot device and press any key”, and this message appears not inside “grub window” like the one about “grub_tmp_measure” but takes over the whole screen.

“Boot mode” is currently set to “Legacy only” but all the usual uefi and secureboot options are still there, as well as “opensuse” - which is the only one that boots.

There’s another BIOS switch for “Storage Boot Option Control” with four configurations for legacy and uefi, and I believe it’s the one that shows or displays “dvdrom”, my other hard disk, or plugged usb sticks as possibly bootable options.

OK, so it implies you have secure boot disabled (you ignored this question earlier). According to previous /boot listing you have

-rwxrwxr-x 1 root root  993656 May 11  2017 grub.efi

This is w-a-a-a-y too old. Current grub.efi is 106126 bytes and dated Sep 16 2018. Which would actually explain the error you are seeing (this still means there are some subtle bugs because grub.efi is supposed to be self contained, but that is different issue).

Please provide output of “rpm -q grub2-x86_64-efi shim” and content of /etc/default/grub.

You are right, the first time it came up I was in chroot from rescue system and then I got distracted by secure boot options in BIOS so I forgot to loot into Yast module. Yes, “secure boot” box is unchecked there. I’ll finish this post, enable it, and report any changes afterwards.

According to previous /boot listing you have

-rwxrwxr-x 1 root root  993656 May 11  2017 grub.efi

This is w-a-a-a-y too old.

That might actually be older than TW install, coming from the days when I had Leap.

Please provide output of “rpm -q grub2-x86_64-efi shim” and content of /etc/default/grub.

stan@linux-pwfe:~> rpm -q grub2-x86_64-efi shim
grub2-x86_64-efi-2.02-33.1.x86_64
shim-14-3.1.x86_64

and

**linux-pwfe:~ #** cat /etc/default/grub
# Modified by YaST2. Last modification on Thu Mar 26 16:25:32 ICT 2015
# THIS FILE WILL BE PARTIALLY OVERWRITTEN by perl-Bootloader
# For the new kernel it try to figure out old parameters. In case we are not able to recognize it (e.
g. change of flavor or strange install order ) it it use as fallback installation parameters from /et
c/sysconfig/bootloader

# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=2
GRUB_CMDLINE_LINUX_DEFAULT="resume=/dev/disk/by-id/ata-KINGSTON_SH103S3120G_50026B724116E2FB-part2 sp
lash=silent quiet showopts"
# kernel command line options for failsafe mode
GRUB_CMDLINE_LINUX_RECOVERY="showopts apm=off noresume edd=off powersaved=off nohz=off highres=off pr
ocessor.max_cstate=1 nomodeset x11failsafe"
GRUB_CMDLINE_LINUX=""
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM=0x01234567,0xfefefefe,0x89abcdef,0xefefefef
# Uncomment to disable graphical terminal (grub-pc only)
GRUB_TERMINAL=gfxterm
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=1680x1050
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_LINUX_RECOVERY=true
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
# Skip 30_os-prober if you experienced very slow in probing them
# WARNING foregin OS menu entries will be lost if set true here
GRUB_DISABLE_OS_PROBER=false
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
GRUB_BACKGROUND=
GRUB_USE_LINUXEFI=false
SUSE_BTRFS_SNAPSHOT_BOOTING=true
GRUB_ENABLE_CRYPTODISK=n

I checked enable secure boot in Yast/BootLoader and I got a prompt to install “mocutil”, so it probably was never enabled on my computer before. After this it successfully boots into both “UEFI” and “opensuse-secureboot” options on the boot menu.

Problem solved, except I don’t know how I got it in the first place. The machine is almost five years old and I haven’t looked into those parts of the system since forever. Is there anything else I should do about it now?

Also, if anyone encounters it in the future - is there a way to enable secure boot and install required packages by booting from rescue CD?

Question was about BIOS settings, but it does not matter now.

You cannot rebuild grub.cfg from rescue CD anyway, you need to do it from within chroot, at which point using YaST is much more simple and future proof. I could tell you which files and variables are affected but this can change at any time.

That explains your problem. When going via secure boot path grub.efi is loaded, but it does not include “linux” command which your grub.cfg was using. So it attempted to load external module and this resulted in version mismatch between old grub.efi and new grub2 modules.

All in all it was rather interesting and instructive exercise. Thank you.

GUI Yast wasn’t available in chroot, the entire “System” icon in the launcher menu was unresponsive. There’s command line YAST, though, and it could have worked if I tried but somehow I didn’t think of doing that.

Thank you for your help, and all the others as well.