GRUB error when booting: symbol `grub_is_shim_lock_enabled` not found

  • Open
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • ngraves
Owner
unassigned
Submitted by
ngraves
Severity
normal
N
N
ngraves wrote 5 days ago
Is grub broken and breaking Guix ?
(address . bug-guix@gnu.org)
a34560f8716ffb8ffd6522c3f8af07c8@ngraves.fr
Hi Guix,

I've had a low-level btrfs failing issue once again on my main computer,
but this time I'm almost unable to recover from it.

On my backup computer, I tried updating Guix before generating an
installable image, and that broke my backup computer. I'm unable to
install Guix that I broke due to the following error :

This error also breaks the possibility to roll-back, I have the exact
same error with earlier Guix system profiles, thus I am stuck trying to
reinstall a working system profile on my backup computer.

I'm able to build everything, but it fails when running grub-install.

I use a single LUKS device, with btrfs on top, and a carefully selected
btrfs layout.

I'm able to fix the grub-install invocation using the prefixed
GRUB_ENABLE_CRYPTODISK=y and running the command by hand, but utimately,
it doesn't fix the underlying error. I'm not able to run it with this
prefix using grub 2.06.

I've also been experiencing extremely annoying git and guile-git SSL
certificates issues, despites the SSL_CERT_DIR and SSL_CERT_FILE being
set properly. For some reason, I was not able to `guix pull` even on the
official installation device on tuesday but without changing anything,
but was able to do that on wednesday.

Here I am, 4 days later, still trying to get a proper up-to-date Guix
working, even with 3-4 years of Guix experience. There's still some
progress ahead ;)

I'm quite stuck now, I'll happily take any advice.

Nicolas
N
N
ngraves wrote 5 days ago
Sharing some progress
(address . 74711@debbugs.gnu.org)
4fe84e12db12aa32d75a427d3000db02@ngraves.fr
I've found the reason behind the extremely annoying SSL certification
refusals.

When I use an installation image, the date is not necessarily set at the
real date. In my case, `date` was set in 2019, and triggered the SSL
verification refusal (not yet valid).

I don't know why it sometimes doesn't happen. If we can't fix/automate
it at the time we boot in the installation medium, we should probably
add a warning in the manual / a hint in guix pull / a proper error in
guile-git (that could provide more information than just Git failing) ?

WDYT ?

Best regards,
Nicolas
N
N
ngraves wrote 4 days ago
(address . 74711@debbugs.gnu.org)
305651c5d363f13f253b8290e09ba497@ngraves.fr
Le 07.12.2024 10:45, ngraves@ngraves.fr a écrit :
Toggle quote (3 lines)
>
> WDYT ?

By the way, guix install did work perfectly fine despite SSL
certificates failing, does that mean that it doesn't do any SSL
certificate verification ? Is that considered safe? How about
man-in-the-middle and data-tampering attacks? Are they impossible due to
sha checksums in Guix, or is that a vulnerability ?

Nicolas
L
L
Ludovic Courtès wrote 23 hours ago
Certificate issues with ‘guix pull’ when system clock is in the past
(address . ngraves@ngraves.fr)(address . 74711@debbugs.gnu.org)
877c87i3ds.fsf_-_@gnu.org
Hi,

ngraves@ngraves.fr skribis:

Toggle quote (7 lines)
> I've found the reason behind the extremely annoying SSL certification
> refusals.
>
> When I use an installation image, the date is not necessarily set at
> the real date. In my case, `date` was set in 2019, and triggered the
> SSL verification refusal (not yet valid).

Could it be that the clock battery of that computer is dead? Otherwise
it’s not supposed to happen.

Toggle quote (6 lines)
> I don't know why it sometimes doesn't happen. If we can't
> fix/automate it at the time we boot in the installation medium, we
> should probably add a warning in the manual / a hint in guix pull / a
> proper error in guile-git (that could provide more information than
> just Git failing) ?

The error I see is:

Toggle snippet (5 lines)
$ guix shell libfaketime -- faketime 2019-01-01 guix pull -p /tmp/p
Updating channel 'shepherd' from Git repository at 'https://git.savannah.gnu.org/git/shepherd.git'...
guix pull: error: Git error: the SSL certificate is invalid

I agree it could give more details, but that’s all we get from libgit2 I
believe. Worth investigating how this can be improved.

That said, what we could/should do is add a ‘--no-check-certificate’
option to ‘pull’ and ‘time-machine’; it would be handy in emergency
situations like you described.

It should be possible to implement that with the ‘certificate_check’
callback in ‘git_remote_callbacks’. I’ll see what can be done in this
area.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote 23 hours ago
Re: bug#74711: Is grub broken and breaking Guix ?
(address . ngraves@ngraves.fr)(address . 74711@debbugs.gnu.org)
871pyfi377.fsf_-_@gnu.org
ngraves@ngraves.fr skribis:

Toggle quote (6 lines)
> By the way, guix install did work perfectly fine despite SSL
> certificates failing, does that mean that it doesn't do any SSL
> certificate verification ? Is that considered safe? How about
> man-in-the-middle and data-tampering attacks? Are they impossible due
> to sha checksums in Guix, or is that a vulnerability ?

The error with ‘guix pull’ comes from libgit2 when talking to
https://git.sv.gnu.org.

‘guix install’ does not do that. When it downloads substitutes, it
authenticates them (narinfos are signed) and checks their integrity once
the download is complete.

X.509 certificates do not matter at all here and are explicitly ignored;
see #:verify-certificate? in (guix scripts substitutes).

Ludo’.
L
L
Ludovic Courtès wrote 23 hours ago
control message for bug #74711
(address . control@debbugs.gnu.org)
87zfl3gmfe.fsf@gnu.org
retitle 74711 GRUB error when booting: symbol `grub_is_shim_lock_enabled` not found
quit
L
L
Ludovic Courtès wrote 23 hours ago
Re: bug#74711: Is grub broken and breaking Guix ?
(address . ngraves@ngraves.fr)(address . 74711@debbugs.gnu.org)
87ttbbgmb8.fsf@gnu.org
Hi,

ngraves@ngraves.fr skribis:

Toggle quote (5 lines)
> On my backup computer, I tried updating Guix before generating an
> installable image, and that broke my backup computer. I'm unable to
> install Guix that I broke due to the following error :
> https://savannah.gnu.org/bugs/?64406

The error at boot time is:

error: symbol `grub_is_shim_lock_enabled` not found when trying to boot image

Is that right?

I don’t think this has been reported before. Is there a chance it has
to do specifically with the Btrfs/LUKS setup you describe?

Had this machine been upgraded and reconfigured recently?

Ludo’.
L
L
Ludovic Courtès wrote 22 hours ago
(address . ngraves@ngraves.fr)(address . 74711@debbugs.gnu.org)
87ldwnglbz.fsf_-_@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (4 lines)
> That said, what we could/should do is add a ‘--no-check-certificate’
> option to ‘pull’ and ‘time-machine’; it would be handy in emergency
> situations like you described.

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74711@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74711
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch