我目前正在双重启动 Gentoo 和 Windows(在两个不同的磁盘上)。我使用 grub2 在 linux 驱动器上启动,在这里我可以选择 Gentoo 或 Windows(由 os-prober 添加)。
最近,我将 Windows 10 更新到 Windows 11。之后,一些应用程序开始抱怨未启用安全启动。事实是,在我的主板(华硕 z370f)BIOS 菜单中,安全启动选项已启用。然后我发现我可以将安全启动策略设置为Other OS(因为它已经是)或Windows UEFI(我猜实际上检查了微软提供的签名)。启用后者后,我的双启动设置毫无作用,在出现红色错误消息后,我被重定向到 Windows 11。
为了恢复我的双启动并保持安全启动,我遵循Sasaki 的安全启动指南。更具体:
- 我保存了 efi 密钥(PK、PEK、db、dbx)
- 使用 openssl 创建新的 efi 密钥
- 创建复合密钥并对其进行签名
- 清除主板密钥并上传复合密钥
之后,我确认密钥已成功使用 efi-readvar 加载。然后,我继续使用新创建的证书通过 sbsign 对内核进行签名。
sbsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output /boot/vmlinuz-6.1.2.signed /boot/vmlinuz-6.1.2
我想现在一切都应该正常了。除了我仍然收到有关尝试加载未签名代码的红色错误消息。在把头撞在桌子上一段时间后,我尝试对 grub 镜像进行签名:
sbsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output /boot/efi/gentoo/grubx64.efi grubx64.efi.back
现在事情有点好转了:grub 至少启动正确了。但是,它无法实际启动 Linux 或 Windows。经过更多的搜索和挫折后,我意识到 grub 无法加载启动所需的一些模块(因为它们没有签名)。然后我使用了grub-install一堆模块。
MODULES="all_video cat chain configfile disk echo \
ext2 efi_gop efifwsetup efi_uga fat file font gfxmenu gettext gfxterm \
gzio help jpeg linux ls normal part_gpt \
reboot search test tpm video_colors video \
gcry_sha512 gcry_rsa gcry_sha256"
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot --disable-shim-lock --modules="$MODULES"
mv /boot/efi/gentoo/grubx64.efi grubx64.efi.back
sbsign --key /etc/efikeys/db.key --cert /etc/efikeys/db.crt --output /boot/efi/gentoo/grubx64.efi grubx64.efi.back
此时,我实际上可以使用 grub 在 Windows 11 或 gentoo 中启动,甚至可以在 Windows uefi 模式下进行安全启动。经过几个小时的反复试验后,一切正常。
第二天问题就出现了,当时我注意到我不仅可以使用 vmlinux-6.1.2.signed(我实际签名的内核)启动,还可以使用 vmlinux-6.1.2(原始未签名的内核)启动。 Grub 允许我使用未签名的内核(!)启动(启用安全启动),并且当我检查dmesg两个内核时都有Secure boot enabled消息(!!)。
所以我目前遇到的问题是:即使启用了安全启动,为什么 grub(和我的 uefi)允许我启动未签名的内核?我添加密钥的方式是否有任何错误?我在签署 grub 时犯了一个错误吗?
注意:在此过程中我没有使用任何 GPG 密钥。对于密钥的创建和上传,我严格遵循 Sasaki 的指南。如果可能的话,我想不使用 gpg 密钥,而只使用使用 openssl 创建的证书。
注2:我尝试将这些行添加到我的 grub 配置中,但效果不是特别好:Grub 抱怨缺少 .sig 文件并拒绝启动任何内容。
set check_signatures=enfore
export check_signatures
老实说,我只是想让 grub 检查内核是否已签名,但似乎这个选项与 gpg 签名相关,我没有将其添加到我的 grub 中。
注3:我还注意到,在我进行各种更改后,grub 变得明显变慢。以前,启动几乎是瞬时的,而现在我可以在菜单打开之前看到一秒钟的“欢迎”消息。此外,控制台非常缓慢,每次击键都会有延迟。我是否因为模块太多或类似的事情而变得更糟?
/boot/grub/grub.cfg
#
# do not edit this file
#
# it is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### begin /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="advanced options for gentoo gnu/linux>gentoo gnu/linux, with linux 5.15.6-gentoo.signed"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
if loadfont /grub/fonts/terminus18.pf2 ; then
set gfxmode=2560x1440,auto
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_us
insmod gettext
fi
terminal_output gfxterm
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
insmod gfxmenu
loadfont ($root)/grub/themes/vimix/dejavu_sans_12.pf2
loadfont ($root)/grub/themes/vimix/dejavu_sans_14.pf2
loadfont ($root)/grub/themes/vimix/dejavu_sans_16.pf2
loadfont ($root)/grub/themes/vimix/dejavu_sans_24.pf2
loadfont ($root)/grub/themes/vimix/dejavu_sans_32.pf2
loadfont ($root)/grub/themes/vimix/dejavu_sans_48.pf2
loadfont ($root)/grub/themes/vimix/terminus-12.pf2
loadfont ($root)/grub/themes/vimix/terminus-14.pf2
loadfont ($root)/grub/themes/vimix/terminus-16.pf2
loadfont ($root)/grub/themes/vimix/terminus-18.pf2
insmod jpeg
insmod png
set theme=($root)/grub/themes/vimix/theme.txt
export theme
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### end /etc/grub.d/00_header ###
### begin /etc/grub.d/10_linux ###
menuentry 'gentoo gnu/linux' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 6.1.2-gentoo.signed ...'
linux /vmlinuz-6.1.2-gentoo.signed root=/dev/nvme1n1p3 ro vt.default_utf8=1
}
submenu 'advanced options for gentoo gnu/linux' $menuentry_id_option 'gnulinux-advanced-889b06ae-8d49-4046-a1c6-42e6967862b2' {
menuentry 'gentoo gnu/linux, with linux 6.1.2-gentoo.signed' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.2-gentoo.signed-advanced-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 6.1.2-gentoo.signed ...'
linux /vmlinuz-6.1.2-gentoo.signed root=/dev/nvme1n1p3 ro vt.default_utf8=1
}
menuentry 'gentoo gnu/linux, with linux 6.1.2-gentoo.signed (recovery mode)' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.2-gentoo.signed-recovery-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 6.1.2-gentoo.signed ...'
linux /vmlinuz-6.1.2-gentoo.signed root=/dev/nvme1n1p3 ro single }
menuentry 'gentoo gnu/linux, with linux 6.1.2-gentoo' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.2-gentoo-advanced-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 6.1.2-gentoo ...'
linux /vmlinuz-6.1.2-gentoo root=/dev/nvme1n1p3 ro vt.default_utf8=1
}
menuentry 'gentoo gnu/linux, with linux 6.1.2-gentoo (recovery mode)' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.2-gentoo-recovery-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 6.1.2-gentoo ...'
linux /vmlinuz-6.1.2-gentoo root=/dev/nvme1n1p3 ro single
}
menuentry 'gentoo gnu/linux, with linux 5.15.6-gentoo.signed' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.6-gentoo.signed-advanced-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 5.15.6-gentoo.signed ...'
linux /vmlinuz-5.15.6-gentoo.signed root=/dev/nvme1n1p3 ro vt.default_utf8=1
}
menuentry 'gentoo gnu/linux, with linux 5.15.6-gentoo.signed (recovery mode)' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.6-gentoo.signed-recovery-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 5.15.6-gentoo.signed ...'
linux /vmlinuz-5.15.6-gentoo.signed root=/dev/nvme1n1p3 ro single
}
menuentry 'gentoo gnu/linux, with linux 5.15.6-gentoo' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.6-gentoo-advanced-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 5.15.6-gentoo ...'
linux /vmlinuz-5.15.6-gentoo root=/dev/nvme1n1p3 ro vt.default_utf8=1
}
menuentry 'gentoo gnu/linux, with linux 5.15.6-gentoo (recovery mode)' --class gentoo --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.6-gentoo-recovery-889b06ae-8d49-4046-a1c6-42e6967862b2' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root e179-b0bd
echo 'loading linux 5.15.6-gentoo ...'
linux /vmlinuz-5.15.6-gentoo root=/dev/nvme1n1p3 ro single
}
}
### end /etc/grub.d/10_linux ###
### begin /etc/grub.d/20_linux_xen ###
### end /etc/grub.d/20_linux_xen ###
### begin /etc/grub.d/30_os-prober ###
menuentry 'windows boot manager (on /dev/nvme0n1p1)' --class windows --class os $menuentry_id_option 'osprober-efi-3e17-e3b9' {
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=root 3e17-e3b9
chainloader /efi/microsoft/boot/bootmgfw.efi
}
### end /etc/grub.d/30_os-prober ###
### begin /etc/grub.d/30_uefi-firmware ###
menuentry 'uefi firmware settings' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### end /etc/grub.d/30_uefi-firmware ###
### begin /etc/grub.d/40_custom ###
# this file provides an easy way to add custom menu entries. simply type the
# menu entries you want to add after this comment. be careful not to change
# the 'exec tail' line above.
#set check_signatures=enforce
#export check_signatures
### end /etc/grub.d/40_custom ###
### begin /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg
fi
### end /etc/grub.d/41_custom ###
/etc/默认/grub
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# To populate all changes in this file you need to regenerate your
# grub configuration file afterwards:
# 'grub-mkconfig -o /boot/grub/grub.cfg'
#
# See the grub info page for documentation on possible variables and
# their associated values.
GRUB_DISTRIBUTOR="Gentoo"
# Default menu entry
#GRUB_DEFAULT=0
# Boot the default entry this many seconds after the menu is displayed
GRUB_TIMEOUT=5
#GRUB_TIMEOUT_STYLE=menu
# Append parameters to the linux kernel command line
#GRUB_CMDLINE_LINUX=""
#
# Examples:
#
# Boot with network interface renaming disabled
# GRUB_CMDLINE_LINUX="net.ifnames=0"
#
# Boot with systemd instead of sysvinit (openrc)
# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd"
# Append parameters to the linux kernel command line for non-recovery entries
#GRUB_CMDLINE_LINUX_DEFAULT=""
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
# The resolution used on graphical terminal.
# Note that you can use only modes which your graphic card supports via VBE.
# You can see them in real GRUB with the command `vbeinfo'.
GRUB_GFXMODE=2560x1440,auto
# Set to 'text' to force the Linux kernel to boot in normal text
# mode, 'keep' to preserve the graphics mode set using
# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular
# graphics mode, or a sequence of these separated by commas or
# semicolons to try several modes in sequence.
#GRUB_GFXPAYLOAD_LINUX=
# Path to theme spec txt file.
# The starfield is by default provided with use truetype.
# NOTE: when enabling custom theme, ensure you have required font/etc.
GRUB_THEME="/boot/grub/themes/vimix/theme.txt"
# Background image used on graphical terminal.
# Can be in various bitmap formats.
#GRUB_BACKGROUND="/boot/grub/mybackground.png"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY=true
# Uncomment to disable generation of the submenu and put all choices on
# the top-level menu.
# Besides the visual affect of no sub menu, this makes navigation of the
# menu easier for a user who can't see the screen.
#GRUB_DISABLE_SUBMENU=y
# Uncomment to play a tone when the main menu is displayed.
# This is useful, for example, to allow users who can't see the screen
# to know when they can make a choice on the menu.
#GRUB_INIT_TUNE="60 800 1"
GRUB_DEFAULT="Advanced options for Gentoo GNU/Linux>Gentoo GNU/Linux, with Linux 5.15.6-gentoo.signed"
# EDITED
GRUB_TERMINAL_OUTPUT="gfxterm"
GRUB_FONT=/boot/grub/fonts/Terminus18.pf2
GRUB_GFXMODE=2560x1440,auto
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_DISABLE_OS_PROBER=n
GRUB_CMDLINE_LINUX_DEFAULT="vt.default_utf8=1"