Package: grub-efi Version: 2.02+dfsg1-5 Severity: grave Justification: renders package unusable
Dear Maintainer, I use Debian Buster with secureboot turned on on my Dell XPS13. I replaced all UEFI keys with my own RSA keys and created a standalone grub_efi using the scripts at https://github.com/jdelic/secureboot/. Since updating to 2.02+dfsg1-5, booting in secureboot mode fails with an "invalid signature" error for vmlinuz-4.17.0-1-amd64. I turned on "crypt" debug mode on the signed grub image and the last logged "alive" line is verify.c:620. So Grub detects secureboot and starts verifying and then fails. I use my public GPG key (0x7CDC4589) for signing. The detached signature is: iQIzBAABCgAdFiEE5NQyBIYeHiZU1onRn+lmU4TReRgFAltyqNwACgkQn+lmU4TReRgnjRAA0dMV eS7BSs61qtJKjJ+RlpXj9O73rMTBkkCArHfYD7/RX2G6f09We50ZT7CtTPtt+sSYutppOjIbRucd paQSGox18JH1JMpjjiZYdzCXmJEpwuwuvYHyrYF1DVczB2rbk1AtpTq8fvir4W5fnj/CS20g35em uCiUtnuyDotJ3/Z3tIKVlvfpiA8ndvUSl37SxX3K/pQ1EQocyGaKFsythFFhK838/Y97BSQyw8h4 h0MU1hBgmdANmy1UsaAlyfbozXnT2UDOlnyfIvR9f0K7ldTZqxGkhZhixFjRlV9LLNLbC7wIxY2a MrJVmEO8r1JMwp4Tbysplv6zY3JYnKXP++b+WnQr4aRSdzzcn7KbU3uDT6EdtO9pUJ6/5agMScMi NJWFNa4vQ0UAtc1Og/9ZSt+k8BhX7wXTYreuAOKDCBpd1FvgOMHdCuQscI2xSLtczV5b76TbjxoP vk0SIzqO6Sko71MMHgJEodTY1oTEFbeyGJmPhyTMuv67R1aF5LRtHVK3Pdt7Hf9M71Mzl+YbGXjb fXti1BYaLQstKvyaQYhKVIhn6I9ZAQGPuXpr0fp7NFngajDrinFtjJHJQ98E/PQCUTQRNy7MqPNu MDf/WlNMpzrOzo2fpwWqfwtlXbVCZWcKJjmFg5MuEBpX6cO4n5OmOMZ9xf6877LQgfr3+yU= You can verify the signature like this: mkdir /tmp/sigtest cd /tmp/sigtest apt download linux-image-4.17.0-1-amd64 dpkg-deb -x \ linux-image-4.17.0-1-amd64_4.17.8-1_amd64.deb \ unpack base64 -d > unpack/boot/vmlinuz-4.17.0-1-amd64.sig # (copy paste the above signature) gpg --recv-key 7CDC4589 gpg --verify unpack/boot/vmliuz-4.17.0-1-amd64.sig You should then see output like this: gpg: assuming signed data in 'unpack/boot/vmlinuz-4.17.0-1-amd64' gpg: Signature made Tue 14 Aug 2018 12:03:08 PM CEST gpg: using RSA key E4D43204861E1E2654D689D19FE9665384D17918 gpg: Good signature from "Jonas Maurus <jo...@maurus.net>" [ultimate] gpg: aka "Jonas Maurus <jonas-git...@maurus.net>" [ultimate] gpg: aka "Jonas Maurus <jonas-bitbuc...@maurus.net>" [ultimate] Please contact me if you need any more information. Thank you, Jonas Maurus -- Package-specific info: *********************** BEGIN /proc/mounts /dev/mapper/vg0-root / ext4 rw,relatime,errors=remount-ro 0 0 /dev/nvme0n1p2 /boot ext2 rw,relatime,block_validity,barrier,user_xattr,acl 0 0 /dev/nvme0n1p1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/mapper/vg0-home /home ext4 rw,relatime 0 0 *********************** END /proc/mounts *********************** BEGIN /boot/grub/grub.cfg # # DO NOT EDIT THIS FILE # # It is automatically generated by grub-mkconfig using templates # from /etc/grub.d and settings from /etc/default/grub # ### BEGIN /etc/grub.d/00_header ### if [ -s $prefix/grubenv ]; then set have_grubenv=true load_env fi if [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true else set default="0" fi if [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id" else menuentry_id_option="" fi export menuentry_id_option if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true fi function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi } function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi } if [ x$feature_default_font_path = xy ] ; then font=unicode else insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 else search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 fi font="/grub/unicode.pf2" fi if loadfont $font ; then set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_US insmod gettext fi terminal_output gfxterm if [ "${recordfail}" = 1 ] ; then set timeout=30 else if [ x$feature_timeout_style = xy ] ; then set timeout_style=hidden set timeout=0 # Fallback hidden-timeout code in case the timeout_style feature is # unavailable. elif sleep --interruptible 0 ; then set timeout=0 fi fi ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/05_debian_theme ### set menu_color_normal=cyan/blue set menu_color_highlight=white/blue ### END /etc/grub.d/05_debian_theme ### ### BEGIN /etc/grub.d/10_linux ### function gfxmode { set gfxpayload="${1}" } set linux_gfx_mode= export linux_gfx_mode menuentry 'Debian GNU/Linux' --unrestricted --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 else search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 fi echo 'Loading Linux 4.17.0-1-amd64 ...' linux /vmlinuz-4.17.0-1-amd64 root=/dev/mapper/vg0-root ro quiet splash echo 'Loading initial ramdisk ...' initrd /initrd.img-4.17.0-1-amd64 } submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' { menuentry 'Debian GNU/Linux, with Linux 4.17.0-1-amd64' --unrestricted --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.17.0-1-amd64-advanced-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 else search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 fi echo 'Loading Linux 4.17.0-1-amd64 ...' linux /vmlinuz-4.17.0-1-amd64 root=/dev/mapper/vg0-root ro quiet splash echo 'Loading initial ramdisk ...' initrd /initrd.img-4.17.0-1-amd64 } menuentry 'Debian GNU/Linux, with Linux 4.17.0-1-amd64 (recovery mode)' --unrestricted --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.17.0-1-amd64-recovery-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 else search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 fi echo 'Loading Linux 4.17.0-1-amd64 ...' linux /vmlinuz-4.17.0-1-amd64 root=/dev/mapper/vg0-root ro single echo 'Loading initial ramdisk ...' initrd /initrd.img-4.17.0-1-amd64 } menuentry 'Debian GNU/Linux, with Linux 4.16.0-2-amd64' --unrestricted --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.16.0-2-amd64-advanced-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 else search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 fi echo 'Loading Linux 4.16.0-2-amd64 ...' linux /vmlinuz-4.16.0-2-amd64 root=/dev/mapper/vg0-root ro quiet splash echo 'Loading initial ramdisk ...' initrd /initrd.img-4.16.0-2-amd64 } menuentry 'Debian GNU/Linux, with Linux 4.16.0-2-amd64 (recovery mode)' --unrestricted --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.16.0-2-amd64-recovery-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 else search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596 fi echo 'Loading Linux 4.16.0-2-amd64 ...' linux /vmlinuz-4.16.0-2-amd64 root=/dev/mapper/vg0-root ro single echo 'Loading initial ramdisk ...' initrd /initrd.img-4.16.0-2-amd64 } } ### END /etc/grub.d/10_linux ### ### BEGIN /etc/grub.d/20_linux_xen ### ### END /etc/grub.d/20_linux_xen ### ### BEGIN /etc/grub.d/30_os-prober ### ### END /etc/grub.d/30_os-prober ### ### BEGIN /etc/grub.d/30_uefi-firmware ### menuentry 'System setup' $menuentry_id_option 'uefi-firmware' { fwsetup } ### END /etc/grub.d/30_uefi-firmware ### ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. ### END /etc/grub.d/40_custom ### ### BEGIN /etc/grub.d/41_custom ### if [ -f ${config_directory}/custom.cfg ]; then source ${config_directory}/custom.cfg elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then source $prefix/custom.cfg; fi ### END /etc/grub.d/41_custom ### *********************** END /boot/grub/grub.cfg *********************** BEGIN /proc/mdstat cat: /proc/mdstat: No such file or directory *********************** END /proc/mdstat *********************** BEGIN /dev/disk/by-id total 0 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-nvme0n1p3_crypt -> ../../dm-0 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-home -> ../../dm-3 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-root -> ../../dm-1 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-swap -> ../../dm-2 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-win--jm -> ../../dm-5 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-win--optile -> ../../dm-4 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-uuid-CRYPT-LUKS1-89c743c8ca7040fda48ce41308b474d7-nvme0n1p3_crypt -> ../../dm-0 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhBuEzIQlv5Zv8cSMFqXD1aFGxEDz2Wh9c -> ../../dm-3 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhWZnhVmY9LIcM750PWOBNxk8FMVu6fKNH -> ../../dm-1 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhqfFDA4csHnpiq2g8sH4ByQNhb8dnfXmf -> ../../dm-2 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhtPgY9LAgSGhLi3cUFnEPu2icbkrY68XO -> ../../dm-5 lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhyfn4rn6VWrvE7CPYZm3MtqDr7KMocc5m -> ../../dm-4 lrwxrwxrwx 1 root root 10 Aug 14 12:05 lvm-pv-uuid-X73TVb-tEQO-DDID-r3JJ-bZC0-50i5-UGucvI -> ../../dm-0 lrwxrwxrwx 1 root root 13 Aug 14 12:05 nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Aug 14 12:05 nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Aug 14 12:05 nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 Aug 14 12:05 nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS-part3 -> ../../nvme0n1p3 lrwxrwxrwx 1 root root 13 Aug 14 12:05 nvme-eui.000000000000001000080d03001ee12c -> ../../nvme0n1 lrwxrwxrwx 1 root root 15 Aug 14 12:05 nvme-eui.000000000000001000080d03001ee12c-part1 -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 15 Aug 14 12:05 nvme-eui.000000000000001000080d03001ee12c-part2 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 15 Aug 14 12:05 nvme-eui.000000000000001000080d03001ee12c-part3 -> ../../nvme0n1p3 *********************** END /dev/disk/by-id *********************** BEGIN /dev/disk/by-uuid total 0 lrwxrwxrwx 1 root root 15 Aug 14 12:05 1CE4-948F -> ../../nvme0n1p1 lrwxrwxrwx 1 root root 10 Aug 14 12:05 35576bd3-f64f-4d3f-893b-1c9a1fd47d9f -> ../../dm-1 lrwxrwxrwx 1 root root 15 Aug 14 12:05 41f85d8a-3669-417c-8a68-31b1edd73596 -> ../../nvme0n1p2 lrwxrwxrwx 1 root root 10 Aug 14 12:05 77d51849-4cf5-456a-a709-733c7e790942 -> ../../dm-3 lrwxrwxrwx 1 root root 15 Aug 14 12:05 89c743c8-ca70-40fd-a48c-e41308b474d7 -> ../../nvme0n1p3 lrwxrwxrwx 1 root root 10 Aug 14 12:05 d7740961-92f5-4a13-923c-19bb865e2595 -> ../../dm-2 *********************** END /dev/disk/by-uuid -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages grub-efi depends on: ii grub-common 2.02+dfsg1-5 ii grub-efi-amd64 2.02+dfsg1-5 grub-efi recommends no packages. grub-efi suggests no packages. -- no debconf information
