Grub2 Invalid signature error when multi-booting

garlicwonder · February 21, 2014, 6:20am

Hello all,
I’ve run into a curious problem. I’m booting Windows 8, openSUSE 13.1, and Ubuntu 13.10 all with SECURE BOOT enabled and get the following error from grub2 when trying to boot Ubuntu

error: /boot/vmlinuz-3.11.0-15-generic.efi.signed has invalid signature
error: you need to load the kernel first

Windows has its own drive, the linux distros are installed on the other. the EFI BOOT partition is on sda4 with windows, created when windows was installed first.
YAST install of grub does the following: openSUSE boots fine, Windows boots fine, Ubuntu errors out. If I disable secure boot, everything works fine.

I tried Ubuntu’s grub2 installation, and it correctly booted all three OS’s with secure boot enabled and disabled.

I realize the short answer is to just use Ubuntu’s grub installation, but openSUSE is the distro I prefer, and I really want to know why this is happening.
Any help is greatly appreciated.

nrickert · February 21, 2014, 7:28am

I’m not sure how the signed kernel works. Presumably, the Ubuntu kernel is signed with a Ubuntu key, while the opensuse kernel is signed with an opensuse key. I’m not completely sure what is supposed to happen.

garlicwonder · February 21, 2014, 7:43am

I was under the impression that a type of generic key is used for these distros. If that is incorrect I’m still wondering how ubuntu manages to boot suse but not vice-versa

arvidjaar · February 21, 2014, 7:59am

The problem is, each vendor signs kernel by own key. grub2 installed by vendor normally knows only keys of this vendor, so it cannot verify file signed by other vendor.

Possible solutions are

use your systems’s EFI boot manager to directly start Ubuntu bootloader.
configure grub2 to chainload Ubuntu bootmanager instead of attempting to boot its kernel directly. Currently there is no automatic way to do it, and I’m not sure to which extent it is possible. There is limited support for Windows bootloader …
enroll Ubuntu key using openSUSE shim interface so it can directly verify signature

I’m still wondering how ubuntu manages to boot suse but not vice-versa

Please show Ubuntu grub.cfg. I’m interested too. Care to open bug report for openSUSE and post number here?

garlicwonder · February 21, 2014, 8:18am

I will post ubuntus grub.cfg as soon as I have access to the system. I currently do have efi booting ubuntu grub, I just want suse to do it.

your third option sounds interesting. I however have no clue how to enroll ubuntus key into opensuse. is there a resource available with some decent directions? many thanks

arvidjaar · February 21, 2014, 8:31am

This theoretically should be possible using mokutil directly from within OS; you may test it. Otherwise just start MokManager.efi (in \EFI\openSUSE\MokManager.ef) using grub2 or directly from within your system’s boot menu if possible. You need to make keys available on EFI partition so MokManager can read them. See also https://en.opensuse.org/openSUSE:UEFI near the end.

robin_listas · February 21, 2014, 1:04pm

On 2014-02-21 08:06, arvidjaar wrote:

> Possible solutions are

> - configure grub2 to chainload Ubuntu bootmanager instead of attempting
> to boot its kernel directly. Currently there is no automatic way to do
> it, and I’m not sure to which extent it is possible. There is limited
> support for Windows bootloader …

Can’t grub be chainloaded from the custom config file? :-?

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

nrickert · February 21, 2014, 3:46pm

The distros use their own version of “shim.efi”. They get Microsoft to sign that. Then “shim.efi” verifies the kernel signature, based on the distro’s signing key. There’s a utility MokManager where you can enroll additional signing keys. The documentation was not good when I last checked. If you can enroll the ubuntu signing key with MokManager, that would probably solve your problem.

It could have worked both ways with opensuse 12.3, but not with 13.1. With opensuse 12.3, it was possible to use secure-boot to load “shim.efi”, and then to configure grub so that “shim.efi” did not check signatures of the kernels that it loaded. I’m guessing that ubuntu is doing that to load opensuse.

That you could load a kernel, without checking its signature, was seen as a weakness in the secure-boot support. That weakness was fixed for opensuse 13.1, and now you can’t do it. At some future time, Ubuntu may make the same fixes, and then Ubuntu won’t be able to boot opensuse.

Your possible solutions seem to be:

Turn off secure-boot;
Enroll the Ubuntu key with MokManager;
Use the grub installed with Ubuntu to handle the booting;
Create a chain-loader section of your grub configuration, so that the grub2-efi (from opensuse) chainloads to the grub2-efi installed by ubuntu, when loading ubuntu. I think you will have to hand-craft that section of the configuration. Use the way chainloading is setup for Windows as a guide.

garlicwonder · February 23, 2014, 10:39am

Thanks for all the suggestions. I’ve tried chainloading ubuntu in the windows “style” but had no luck. Got a variety of errors including “invalid EFI file path” I’m still working on getting openSUSE to sign the ubuntu binary, but its not well documented or perhaps I am a bit daft. In any case, here is the ubuntu grub.cfg file as promised.

Interesting thing I noted. When Ubuntu boots openSUSE, for a split second grub displays “INVALID SIGNATURE” but the OS continues to boot. I believe this may enforce what nrickert said about how Ubuntu does this successfully. If Ubuntu and other distros patch this, I forsee a bunch of posts for help. As we all know, multibooting is quite common for linux users and secure boot is making this extremely difficult.


#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if  -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
set default="0"

if  x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if  "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if  -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function recordfail {
  set recordfail=1
  if  -n "${have_grubenv}" ]; then if  -z "${boot_once}" ]; then save_env recordfail; fi; fi
}

function load_video {
  if  x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if  x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod ext2
set root='hd1,gpt4'
if  x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
else
  search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_output gfxterm
if  "${recordfail}" = 1 ]; then
  set timeout=-1
else
  set timeout=10
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=white/black
set menu_color_highlight=black/light-gray
if background_color 44,0,30; then
  clear
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
    set gfxpayload="${1}"
    if  "${1}" = "keep" ]; then
        set vt_handoff=vt.handoff=7
    else
        set vt_handoff=
    fi
}
if  "${recordfail}" != 1 ]; then
  if  -e ${prefix}/gfxblacklist.txt ]; then
    if hwmatch ${prefix}/gfxblacklist.txt 3; then
      if  ${match} = 0 ]; then
        set linux_gfx_mode=keep
      else
        set linux_gfx_mode=text
      fi
    else
      set linux_gfx_mode=text
    fi
  else
    set linux_gfx_mode=keep
  fi
else
  set linux_gfx_mode=text
fi
export linux_gfx_mode
menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c83c72ba-a33e-48ef-a764-44a892a7962d' {
recordfail
    load_video
    gfxmode $linux_gfx_mode
    insmod gzio
    insmod part_gpt
    insmod ext2
    set root='hd1,gpt4'
    if  x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
    else
      search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
    fi
    linux    /boot/vmlinuz-3.11.0-15-generic.efi.signed root=UUID=c83c72ba-a33e-48ef-a764-44a892a7962d ro   quiet splash $vt_handoff
    initrd    /boot/initrd.img-3.11.0-15-generic
}
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-c83c72ba-a33e-48ef-a764-44a892a7962d' {
    menuentry 'Ubuntu, with Linux 3.11.0-15-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.11.0-15-generic-advanced-c83c72ba-a33e-48ef-a764-44a892a7962d' {
    recordfail
        load_video
        gfxmode $linux_gfx_mode
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='hd1,gpt4'
        if  x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
        else
          search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
        fi
        echo    'Loading Linux 3.11.0-15-generic ...'
        linux    /boot/vmlinuz-3.11.0-15-generic.efi.signed root=UUID=c83c72ba-a33e-48ef-a764-44a892a7962d ro   quiet splash $vt_handoff
        echo    'Loading initial ramdisk ...'
        initrd    /boot/initrd.img-3.11.0-15-generic
    }
    menuentry 'Ubuntu, with Linux 3.11.0-15-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.11.0-15-generic-recovery-c83c72ba-a33e-48ef-a764-44a892a7962d' {
    recordfail
        load_video
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='hd1,gpt4'
        if  x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt4 --hint-efi=hd1,gpt4 --hint-baremetal=ahci1,gpt4  c83c72ba-a33e-48ef-a764-44a892a7962d
        else
          search --no-floppy --fs-uuid --set=root c83c72ba-a33e-48ef-a764-44a892a7962d
        fi
        echo    'Loading Linux 3.11.0-15-generic ...'
        linux    /boot/vmlinuz-3.11.0-15-generic.efi.signed root=UUID=c83c72ba-a33e-48ef-a764-44a892a7962d ro recovery nomodeset 
        echo    'Loading initial ramdisk ...'
        initrd    /boot/initrd.img-3.11.0-15-generic
    }
}
### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_memtest86+ ###
### END /etc/grub.d/20_memtest86+ ###

### BEGIN /etc/grub.d/30_os-prober ###
menuentry "Windows Boot Manager (UEFI on /dev/sda2)" --class windows --class os {
    insmod part_gpt
    insmod fat
    set root='hd0,gpt2'
    if  x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2  24B0-7229
    else
      search --no-floppy --fs-uuid --set=root 24B0-7229
    fi
    chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
menuentry 'openSUSE 13.1 (x86_64)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
    insmod part_gpt
    insmod ext2
    set root='hd1,gpt2'
    if  x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2  9f7aec37-99e2-46d3-a7ed-cbb72c887f42
    else
      search --no-floppy --fs-uuid --set=root 9f7aec37-99e2-46d3-a7ed-cbb72c887f42
    fi
    linux /boot/vmlinuz root=/dev/sdb2
    initrd /boot/initrd
}
submenu 'Advanced options for openSUSE 13.1 (x86_64)' $menuentry_id_option 'osprober-gnulinux-advanced-9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
    menuentry 'openSUSE 13.1 (x86_64) (on /dev/sdb2)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-/boot/vmlinuz--9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
        insmod part_gpt
        insmod ext2
        set root='hd1,gpt2'
        if  x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd1,gpt2 --hint-efi=hd1,gpt2 --hint-baremetal=ahci1,gpt2  9f7aec37-99e2-46d3-a7ed-cbb72c887f42
        else
          search --no-floppy --fs-uuid --set=root 9f7aec37-99e2-46d3-a7ed-cbb72c887f42
        fi
        linux /boot/vmlinuz root=/dev/sdb2
        initrd /boot/initrd

    
    }
}

### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'System setup' $menuentry_id_option 'uefi-firmware' {
    fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if  -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif  -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

arvidjaar · February 23, 2014, 1:36pm

garlicwonder:

here is the ubuntu grub.cfg file


menuentry 'openSUSE 13.1 (x86_64)' --class gnu-linux --class gnu --class os $menuentry_id_option 'osprober-gnulinux-simple-9f7aec37-99e2-46d3-a7ed-cbb72c887f42' {
    linux /boot/vmlinuz root=/dev/sdb2
    initrd /boot/initrd
}

Unless Ubuntu has heavily patched grub2 the above performs traditional linux boot without checking signature. Currently de-facto standard across distributions is to use separate command (linuxefi) in case of secure boot, even though linuxefi itself is not part of upstream.

Doing it as shown in grub.cfg defeats the purpose of secure boot entirely and actually is Ubuntu bug, not a feature.

secure boot is making this extremely difficult.

Security measures are not intended to make using computers easier, but more secure. This usually means imposing some restrictions on what you can do and how you can do it. Which rarely makes doing it easier.

nrickert · February 23, 2014, 3:10pm

If I were in that situation, I would just turn off secure-boot. As best I can tell, it offers no real benefit to me.