Problem: Booting server shows 'invalid signature you need to load the kernel first'

Knowledge Base Community
, , ,
#1

Problem:

After an update the following errror message occurs:
vmlinuz-4.9.0-11-amd64.efi.signed has invalid signature you need to load the kernel first

Analyse:

Step 1

Get rescue cd to boot the System:

http://www.system-rescue-cd.org/Download/

  • Option: boot existing Linux installation
    ist this possible?

Otherwise boot the rescue cd and chroot to the system filesystem:

mkdir /recover/
mount /dev/mapper/ucs-vg-root  /recover/root
mount /dev/mapperucs-vg-var  /recover/var
mount /dev/sda1 /recover/boot
mount -t proc proc /recover/proc/
mount -o bind /dev /recover/dev
mount -o bind /sys /recover/sys
chroot /recover/

Step 2

Check the boot directory and the grub installation

  • /boot
    A normal directory should look like this:
insgesamt 105M
drwxr-xr-x  4 root root 1,0K Okt 21 14:07 .
drwxr-xr-x 23 root root 4,0K Okt 21 13:59 ..
-rw-r--r--  1 root root  318 Jul 26 12:02 boot.msg
-rw-r--r--  1 root root 183K Sep 20 13:03 config-4.9.0-11-amd64
-rw-r--r--  1 root root 183K Aug 11 16:53 config-4.9.0-9-amd64
drwxr-xr-x  5 root root 1,0K Okt 21 14:05 grub
-rw-r--r--  1 root root  41M Okt 21 14:07 initrd.img-4.9.0-11-amd64
-rw-r--r--  1 root root  41M Okt 21 13:57 initrd.img-4.9.0-9-amd64
drwx------  2 root root  12K Jul 26 11:53 lost+found
-rw-r--r--  1 root root 179K Nov 22  2017 memtest86+.bin
-rw-r--r--  1 root root 181K Nov 22  2017 memtest86+_multiboot.bin
-rw-r--r--  1 root root 3,1M Sep 20 13:03 System.map-4.9.0-11-amd64
-rw-r--r--  1 root root 3,1M Aug 11 16:53 System.map-4.9.0-9-amd64
-rw-r--r--  1 root root 4,1M Sep 20 13:03 vmlinuz-4.9.0-11-amd64
-rw-r--r--  1 root root 4,1M Sep 26 09:11 vmlinuz-4.9.0-11-amd64.efi.signed
-rw-r--r--  1 root root 4,1M Aug 11 16:53 vmlinuz-4.9.0-9-amd64
-rw-r--r--  1 root root 4,1M Aug 13 09:23 vmlinuz-4.9.0-9-amd64.efi.signed

If some files missing especially the vmlinuz files you can use
update-initramfs -v -c -k all
→ to rebuild the initram. This should include drivers to start the system, which are not included in the kernel build.
Then you can try to reinstall grub
univention-install univention-grub --reinstall

You may face the problem that you have no dns and or network. You can try the following:
ifup ens192
and manually add the /etc/resolv.conf with e.g google as nameserver:
nameserver 8.8.8.8

  • grub
dpkg -l |grep grub
ii  grub-common                                         2.02~beta3-5+deb9u2A~4.4.0.201909191538                             amd64        GRand Unified Bootloader (common files)
ii  grub-efi-amd64                                      2.02~beta3-5+deb9u2A~4.4.0.201909191538                             amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii  grub-efi-amd64-bin                                  2.02~beta3-5+deb9u2A~4.4.0.201909191538                             amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii  grub2-common                                        2.02~beta3-5+deb9u2A~4.4.0.201909191538                             amd64        GRand Unified Bootloader (common files for version 2)
ii  univention-grub                                     11.0.0-1A~4.3.0.201712120233                                        all          UCS - meta package for the Grub2 configuration

apt -s install grub-efi-amd64-signed

“Die folgenden Pakete haben unerfüllte Abhängigkeiten:
grub-efi-amd64-signed : Hängt ab von: grub-efi-amd64 (= 2.02~beta3-5+deb9u2A~4.3.5.201910070951) aber 2.02~beta3-5+deb9u2A~4.4.0.201909191538 soll installiert werden
E: Probleme können nicht korrigiert werden, Sie haben zurückgehaltene defekte Pakete.”

Step 3 → EFI

If you have EFI you may check the bootorder configured here:
root@ucs~: efibootmgr -v
BootCurrent: 0004

BootOrder: 0005,0004,0000,0001,0002,0003
Boot0000* EFI Virtual disk (0.0) PciRoot(0x0)/Pci(0x15,0x0)/Pci(0x0,0x0)/SCSI(0,0)
Boot0001* EFI VMware Virtual SATA CDROM Drive (0.0) PciRoot(0x0)/Pci(0x11,0x0)/Pci(0x3,0x0)/Sata(0,0,0)
Boot0002* EFI Network PciRoot(0x0)/Pci(0x16,0x0)/Pci(0x0,0x0)/MAC(000c295af802,1)
Boot0003* EFI Internal Shell (Unsupported option) MemoryMapped(11,0xcb2e000,0xcf9afff)/FvFile(c57ad6b7-0717-48a0-9d21-531652834e57)
Boot0004 grub HD(1,GPT,368c5b12-b17e-488a-b20e-2e4d7140745f,0x800,0x100000)/File(\EFI\grub\shimx64.efi)*
Boot0005 * univention HD(1,GPT,368c5b12-b17e-488a-b20e-2e4d7140745f,0x800,0x100000)/File(\ EFI\univention\grubx64.efi) → this enty is wrong, here should be the entry shimx64.efi

Solution

Fix the efi boot entries

 root@ucs:/boot/efi# efibootmgr -B -b 5 → removes the wrong entry 
BootCurrent: 0004
BootOrder: 0004,0000,0001,0002,0003
Boot0000* EFI Virtual disk (0.0)
Boot0001* EFI VMware Virtual SATA CDROM Drive (0.0)
Boot0002* EFI Network
Boot0003* EFI Internal Shell (Unsupported option)
Boot0004* grub

root@ucs:/boot/efi# efibootmgr --create --label univention --disk /dev/sda --part 1 --loader '\EFI\univention\shimx64.efi'  → legt den richtigen Eintrag an
BootCurrent: 0004
BootOrder: 0005,0004,0000,0001,0002,0003
Boot0000* EFI Virtual disk (0.0)
Boot0001* EFI VMware Virtual SATA CDROM Drive (0.0)
Boot0002* EFI Network
Boot0003* EFI Internal Shell (Unsupported option)
Boot0004* grub
Boot0005* univention

root@ucs:/boot/efi# efibootmgr -v
BootCurrent: 0004
BootOrder: 0005,0004,0000,0001,0002,0003
Boot0000* EFI Virtual disk (0.0)        PciRoot(0x0)/Pci(0x15,0x0)/Pci(0x0,0x0)/SCSI(0,0)
Boot0001* EFI VMware Virtual SATA CDROM Drive (0.0)     PciRoot(0x0)/Pci(0x11,0x0)/Pci(0x3,0x0)/Sata(0,0,0)
Boot0002* EFI Network   PciRoot(0x0)/Pci(0x16,0x0)/Pci(0x0,0x0)/MAC(000c295af802,1)
Boot0003* EFI Internal Shell (Unsupported option)       MemoryMapped(11,0xcb2e000,0xcf9afff)/FvFile(c57ad6b7-0717-48a0-9d21-531652834e57)
Boot0004* grub  HD(1,GPT,368c5b12-b17e-488a-b20e-2e4d7140745f,0x800,0x100000)/File(\EFI\grub\shimx64.efi)
Boot0005* univention    HD(1,GPT,368c5b12-b17e-488a-b20e-2e4d7140745f,0x800,0x100000)/File(\EFI\univention\shimx64.efi)
1 Like
Problem bei Update auf 4.4-8
#2
Mastodon