Unable to boot with secure boot enabled after installing lanzaboote on optiplex 7070 #389
Comments
|
From my (somewhat limited) understanding of lanzaboote, only the boot stub (a slim binary whose only job it is to boot with certain compile time hard coded boot parameters) is signed. The stub has baked in hashes of the kernel and initramfs. Its highly possible that by signing those kernels you just changed the sha256 hashes and borked your boot. Also if i remember correctly you really aren't supposed to manipulate files that originate from /nix/store. This on first glance doesn't seem like a bios error, but an error from the stub complaining about a hash mismatch. |
|
This works! Thanks for the help! Sorry for the delay in responding, I didn't have immediate access to a test environment. Do you know where I can read more about this? I'd love to update the quick start to mention this but I lack knowledge. This seems related to files ending in bzImage.efi needing to not be signed. Are you aware of any way to undo signing a kernel or do I need a fresh install? It seems to me that sbctl doesn't have a command for this. Thanks again! |
You should be able to replace the file from its original source in the nix store (if you also replaced it there there are commands to redo a derivation. A simple solution could be to just enter your install with nixOS-enter and then doing a nixOS-switch since a new kernel version should be available. Since this is nixOS, it might be even less of a hassle to reinstall tho.
|
After installing lanzaboote on a Dell optiplex 7070 micro, I'm unable to boot with secure boot enabled due to the kernel hash not matching:
In the interest of brevity I've excluded some photos of the bios which I am happy to share if it helps debug. Also excluded is my exact nix configuration as it is barely different from the flake provided in the quick start guide. I am also happy to provide this if I made the wrong call not including it. Command screenshots are taken on another computer connected via ssh.
Here's a rough sequence of events:
Used flake for lanzaboote
a. rebuilt system with flake
Ran
sudo sbctl create-keysRebooted to bios
Enabled secure boot, expert key management (custom mode), setup mode (dell seems to call this audit mode)
Booted system
a. Verified system is in setup mode
Attempted to enroll-keys
Ran chattr -i on files from error
Succeeded in enrolling keys
a.
sbctl statusafter enrolling keysb. Ran
sbctl verifyAt some point I tried running
sbctl signon both kernels as they were initially unsigned in attempt to fix errorsUnable to boot due to error pictured at the top
I've also tried the
--microsoftand--appendflags when enrolling keys.If I missed anything I'm happy to elaborate.
Thanks for any help.
The text was updated successfully, but these errors were encountered: