System will not boot after security update: error: symbol 'grub_is_lockdown' not found.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I just updated my mini server machine (yast online update), and when booting I get this error from grub: error: symbol 'grub_is_lockdown' not found. Enter rescue mode... grub rescue> and that's it. I can boot a rescue system from usb stick, but then what? I googled and saw several entries, but I don't see a solution. I see a reference to the symbol in tumbleweed, but I'm using Leap 15.2: Subject: New Tumbleweed snapshot 20210315 released! Date: Tue, 16 Mar 2021 12:00:48 +0000 ... - - Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970) ... * 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch If I try "ls" I see (hd0) (hd0, gpt1) (hd1) ... and more then I try: ls (hd0, gpt1) (hd0, gpt1): Filesystem is unknown. which looks bad. - -- Cheers Carlos E. R. (from 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYHwocRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVDooAoIPkxipDMh5n0CHcZyIg Y86IK2P9AJ9KXGnsaW839/700L+VRhdc3lIpRw== =OdnY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2021-04-18 at 14:39 +0200, Carlos E. R. wrote:
Hi,
I just updated my mini server machine (yast online update), and when booting I get this error from grub:
error: symbol 'grub_is_lockdown' not found. Enter rescue mode... grub rescue>
and that's it.
I managed to boot it using the machine EFI boot menu and choosing another entry. Isengard:~ # efibootmgr -v BootCurrent: 000A Timeout: 6 seconds BootOrder: 0001,0005,0004,000A,000B,0002,0003,0000 Boot0000 Windows Boot Manager VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}.................... Boot0001* opensuse HD(1,GPT,cada5ef3-03a1-4d0b-a984-49c1c16c75bb,0x800,0x4e000)/File(\EFI\OPENSUSE\GRUBX64.EFI)..BO Boot0002* UEFI: IP4 Realtek PCIe GBE Family Controller PciRoot(0x0)/Pci(0x1c,0x2)/Pci(0x0,0x0)/MAC(4ccc6a6150a1,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO Boot0003* UEFI: IP6 Realtek PCIe GBE Family Controller PciRoot(0x0)/Pci(0x1c,0x2)/Pci(0x0,0x0)/MAC(4ccc6a6150a1,0)/IPv6([::]:<->[::]:,0,0)..BO Boot0004* opensuse-secureboot HD(1,GPT,cada5ef3-03a1-4d0b-a984-49c1c16c75bb,0x800,0x4e000)/File(\EFI\OPENSUSE\SHIM.EFI) Boot0005* opensuse HD(1,GPT,cada5ef3-03a1-4d0b-a984-49c1c16c75bb,0x800,0x4e000)/File(\EFI\OPENSUSE\GRUBX64.EFI)..BO Boot000A* main-os-secureboot HD(1,GPT,cada5ef3-03a1-4d0b-a984-49c1c16c75bb,0x800,0x4e000)/File(\EFI\MAIN-OS\SHIM.EFI) Boot000B* UEFI: VerbatimSTORE N GO, Partition 2 PciRoot(0x0)/Pci(0x14,0x0)/USB(1,0)/USB(3,0)/HD(2,MBR,0x7c65b862,0x13cae8,0x7800)..BO Isengard:~ # in boot order: Boot0001* opensuse Boot0005* opensuse Boot0004* opensuse-secureboot Boot000A* main-os-secureboot Boot000B* UEFI: VerbatimSTORE N GO, Partition 2 <=== rescue stick on USB I think I booted number 4, "opensuse-secureboot", but it could be 'A' (is there a command to find out?). But left alone, it was trying to boot Boot0001, which is wrong (see below). In "/etc/default/grub", dated last January, I have: GRUB_DISTRIBUTOR="Main-oS" So the boot entries 1 and 5 in EFI should not be there. The boot order should start with "Boot000A". Why is it not? Isengard:/etc/default # l /boot/efi/EFI/ total 32 drwxrwxr-x 5 root root 4096 Apr 18 14:04 ./ drwxrwxr-x 3 root root 16384 Jan 1 1970 ../ drwxrwxr-x 2 root root 4096 Mar 21 2018 boot/ drwxrwxr-x 2 root root 4096 Apr 18 14:04 main-os/ drwxrwxr-x 2 root root 4096 Nov 27 2016 opensuse/ Isengard:/etc/default # This looks familiar somehow. But I grepped my mail archive for this error message and I did not find it. :-? I need lunch. - -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYHwvphwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVtdEAnjC4i6HFtQWrqckBZNCh oDMNJmz/AJ0Yqwc8f11kfyAfKt88o/7gCCzYqQ== =G4E5 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <2e56a1f1-d118-022-65bd-dd951ea84162@Telcontar.valinor> On Sunday, 2021-04-18 at 15:09 +0200, Carlos E. R. wrote:
On Sunday, 2021-04-18 at 14:39 +0200, Carlos E. R. wrote:
I managed to boot it using the machine EFI boot menu and choosing another entry.
Isengard:~ # efibootmgr -v ...
in boot order:
Boot0001* opensuse Boot0005* opensuse Boot0004* opensuse-secureboot Boot000A* main-os-secureboot Boot000B* UEFI: VerbatimSTORE N GO, Partition 2 <=== rescue stick on USB
I think I booted number 4, "opensuse-secureboot", but it could be 'A' (is there a command to find out?). But left alone, it was trying to boot Boot0001, which is wrong (see below).
...
I need lunch.
I deleted the directory /boot/efi/EFI/opensuse/*, run yast boot module forcing it to write things by changing one second the timeout, then deleted the "opensuse" entries from the EFI config, leaving: Isengard:/boot/efi/EFI # efibootmgr -v BootCurrent: 0001 Timeout: 6 seconds BootOrder: 0001,0004,0002,0003,0000 Boot0000 Windows Boot Manager VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}.................... Boot0001* main-os-secureboot HD(1,GPT,cada5ef3-03a1-4d0b-a984-49c1c16c75bb,0x800,0x4e000)/File(\EFI\MAIN-OS\SHIM.EFI) Boot0002* UEFI: IP4 Realtek PCIe GBE Family Controller PciRoot(0x0)/Pci(0x1c,0x2)/Pci(0x0,0x0)/MAC(4ccc6a6150a1,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO Boot0003* UEFI: IP6 Realtek PCIe GBE Family Controller PciRoot(0x0)/Pci(0x1c,0x2)/Pci(0x0,0x0)/MAC(4ccc6a6150a1,0)/IPv6([::]:<->[::]:,0,0)..BO Boot0004* UEFI: KINGSTON SMS200S3120G, Partition 1 PciRoot(0x0)/Pci(0x13,0x0)/Sata(1,65535,0)/HD(1,GPT,cada5ef3-03a1-4d0b-a984-49c1c16c75bb,0x800,0x4e000)..BO Isengard:/boot/efi/EFI # And the machine now boots without problems. Why it was trying to boot the wrong entry, I have no idea. I have the feeling it is not the first time this happens to me. I do not know what "Boot0004" is, except that it is this disk, partition 1 (based on zero or based on one?) - ah, no, cada5ef3-03a1 is the PARTUUID, so it is sda1. # lsblk --output NAME,KNAME,RA,RM,RO,SIZE,TYPE,FSTYPE,LABEL,PARTLABEL,MOUNTPOINT,UUID,PARTUUID,WWN,MODEL,ALIGNMENT NAME KNAME RA RM RO SIZE TYPE FSTYPE LABEL PARTLABEL MOUNTPOINT UUID PARTUUID WWN MODEL ALIGNMENT sda sda 512 0 0 111.8G disk 0x50026b726901494e KINGSTO 0 ├─sda1 sda1 512 0 0 156M part vfat EFI_part /boot/efi BD39-068A cada5ef3-03a1-4d0b-a984-49c1c16c75bb 0x50026b726901494e 0 ├─sda2 sda2 512 0 0 9G part swap Swap Swap [SWAP] dee28afc-9697-4f8c-9b42-da0cf6da0ff1 53321f59-61c7-48f0-a358-fedac3882160 0x50026b726901494e 0 When I tried to "ls" it from grub, I got: ls (hd0, gpt1) (hd0, gpt1): Filesystem is unknown. Maybe it was "unknown" because grub was at the time loading the wrong "library". - -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYHyUOhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVxz0AnRK8pvS+KkUs1JPFfKTx 931VRV1qAJ9g9ZKM+URwtBqLt1ssk58/szok1g== =0kCz -----END PGP SIGNATURE-----
participants (1)
-
Carlos E. R.