Bug#958894: grub-efi-amd64-bin: Secure Boot forbids loading module from .../multiboot.mod

Fabian Greffrath fabian at debian.org
Sun Apr 26 12:37:33 BST 2020


Package: grub-efi-amd64-bin
Version: 2.04-7
Severity: important

Hi,

GRUB currently fails to load the Invaders game from the grub-invaders
package, Instead, it shows an error message stating

Fehler: Secure Boot forbids loading module from
(hd0,gpt5)/boot/grub/x86_64-efi/multiboot.mod

If multoboot is forbidden with Secure Boot enabled, grub-invaders is
most likely not the only "kernel" that GRUB will be unable to Boot.

Cheers,

 - Fabian


-- Package-specific info:

*********************** BEGIN /proc/mounts
/dev/sda5 / ext4 rw,relatime,errors=remount-ro 0 0
/dev/sda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
*********************** END /proc/mounts

*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod ext2
set root='hd0,gpt5'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
else
  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=de_DE
  insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
  set timeout=30
else
  if [ x$feature_timeout_style = xy ] ; then
    set timeout_style=menu
    set timeout=5
  # Fallback normal timeout code in case the timeout_style feature is
  # unavailable.
  else
    set timeout=5
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod ext2
set root='hd0,gpt5'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
else
  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
fi
insmod png
if background_image /usr/share/desktop-base/futureprototype-theme/grub/grub-16x9.png; then
  set color_normal=white/black
  set color_highlight=black/white
else
  set menu_color_normal=cyan/blue
  set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
	set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-7403c6c5-930a-4efe-bf43-130f005cf9a5' {
	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_gpt
	insmod ext2
	set root='hd0,gpt5'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
	else
	  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
	fi
	echo	'Loading Linux 5.5.0-1-amd64 ...'
	linux	/boot/vmlinuz-5.5.0-1-amd64 root=UUID=7403c6c5-930a-4efe-bf43-130f005cf9a5 ro  quiet splash
	echo	'Loading initial ramdisk ...'
	initrd	/boot/initrd.img-5.5.0-1-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-7403c6c5-930a-4efe-bf43-130f005cf9a5' {
	menuentry 'Debian GNU/Linux, with Linux 5.5.0-1-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.5.0-1-amd64-advanced-7403c6c5-930a-4efe-bf43-130f005cf9a5' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod ext2
		set root='hd0,gpt5'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
		else
		  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
		fi
		echo	'Loading Linux 5.5.0-1-amd64 ...'
		linux	/boot/vmlinuz-5.5.0-1-amd64 root=UUID=7403c6c5-930a-4efe-bf43-130f005cf9a5 ro  quiet splash
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-5.5.0-1-amd64
	}
	menuentry 'Debian GNU/Linux, with Linux 5.5.0-1-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.5.0-1-amd64-recovery-7403c6c5-930a-4efe-bf43-130f005cf9a5' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod ext2
		set root='hd0,gpt5'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
		else
		  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
		fi
		echo	'Loading Linux 5.5.0-1-amd64 ...'
		linux	/boot/vmlinuz-5.5.0-1-amd64 root=UUID=7403c6c5-930a-4efe-bf43-130f005cf9a5 ro single 
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-5.5.0-1-amd64
	}
	menuentry 'Debian GNU/Linux, with Linux 5.4.0-4-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-4-amd64-advanced-7403c6c5-930a-4efe-bf43-130f005cf9a5' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod ext2
		set root='hd0,gpt5'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
		else
		  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
		fi
		echo	'Loading Linux 5.4.0-4-amd64 ...'
		linux	/boot/vmlinuz-5.4.0-4-amd64 root=UUID=7403c6c5-930a-4efe-bf43-130f005cf9a5 ro  quiet splash
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-5.4.0-4-amd64
	}
	menuentry 'Debian GNU/Linux, with Linux 5.4.0-4-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-4-amd64-recovery-7403c6c5-930a-4efe-bf43-130f005cf9a5' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod ext2
		set root='hd0,gpt5'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
		else
		  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
		fi
		echo	'Loading Linux 5.4.0-4-amd64 ...'
		linux	/boot/vmlinuz-5.4.0-4-amd64 root=UUID=7403c6c5-930a-4efe-bf43-130f005cf9a5 ro single 
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-5.4.0-4-amd64
	}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/22_invaders ###
menuentry "GRUB Invaders" {
	insmod part_gpt
	insmod ext2
	set root='hd0,gpt5'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt5 --hint-efi=hd0,gpt5 --hint-baremetal=ahci0,gpt5  7403c6c5-930a-4efe-bf43-130f005cf9a5
	else
	  search --no-floppy --fs-uuid --set=root 7403c6c5-930a-4efe-bf43-130f005cf9a5
	fi
	multiboot	/boot/invaders.exec
}
### END /etc/grub.d/22_invaders ###

### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/sda1)' --class windows --class os $menuentry_id_option 'osprober-efi-6A69-21DC' {
	insmod part_gpt
	insmod fat
	set root='hd0,gpt1'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1  6A69-21DC
	else
	  search --no-floppy --fs-uuid --set=root 6A69-21DC
	fi
	chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'System setup' $menuentry_id_option 'uefi-firmware' {
	fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg

*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat

*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root  9 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC -> ../../sda
lrwxrwxrwx 1 root root 10 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC-part4 -> ../../sda4
lrwxrwxrwx 1 root root 10 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC-part5 -> ../../sda5
lrwxrwxrwx 1 root root 10 Apr 26 13:30 ata-ST1000LM035-1RK172_WKP1TNGC-part6 -> ../../sda6
lrwxrwxrwx 1 root root  9 Apr 26 13:30 wwn-0x5000c500bfacf1f2 -> ../../sda
lrwxrwxrwx 1 root root 10 Apr 26 13:30 wwn-0x5000c500bfacf1f2-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Apr 26 13:30 wwn-0x5000c500bfacf1f2-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Apr 26 13:30 wwn-0x5000c500bfacf1f2-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Apr 26 13:30 wwn-0x5000c500bfacf1f2-part4 -> ../../sda4
lrwxrwxrwx 1 root root 10 Apr 26 13:30 wwn-0x5000c500bfacf1f2-part5 -> ../../sda5
lrwxrwxrwx 1 root root 10 Apr 26 13:30 wwn-0x5000c500bfacf1f2-part6 -> ../../sda6
*********************** END /dev/disk/by-id

*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 10 Apr 26 13:30 4E966CCD966CB6DD -> ../../sda4
lrwxrwxrwx 1 root root 10 Apr 26 13:30 6A69-21DC -> ../../sda1
lrwxrwxrwx 1 root root 10 Apr 26 13:30 7403c6c5-930a-4efe-bf43-130f005cf9a5 -> ../../sda5
lrwxrwxrwx 1 root root 10 Apr 26 13:30 8A486BEA486BD40B -> ../../sda3
lrwxrwxrwx 1 root root 10 Apr 26 13:30 e73f81c5-049c-412f-935f-cf351622b0fe -> ../../sda6
*********************** END /dev/disk/by-uuid

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'experimental'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages grub-efi-amd64-bin depends on:
ii  grub-common  2.04-7

Versions of packages grub-efi-amd64-bin recommends:
ii  efibootmgr             17-1
ii  grub-efi-amd64-signed  1+2.04+7

grub-efi-amd64-bin suggests no packages.

-- no debconf information



More information about the Pkg-grub-devel mailing list