Skip to main content
Topic: mkinitcpio fail to generate an UEFI executable (Read 1494 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

mkinitcpio fail to generate an UEFI executable

Hello,

I switched to Artix Linux a few weeks ago and I am not an expert in system administration. I recently became interested in securing the boot process and discovered that it was not that complicated to create your own keys, sign your binaries and activate secure boot again. However, in order to go further in this process, I have to generate a unified kernel image. I already used mkinitcpio in the past to generate images, but not UEFI ones.

I tried to launch the first command from this page of ArchWiki (modified with my current esp path) and already added the microcode and default_ef_image parameters in the preset file. It successfully generates an initramfs image, it then tries to create an UEFI executable, tells “Using kernel image, cmdline, os-release file, microcode image” and stutters from here with the following lines:
“objcopy: «  »: pas de tel fichier --> no such file
objcopy: --change-section-vma .initrd=0x0000000003000000 jamais utilisé --> never used
objcopy: --change-section-vma .linux=0x0000000002000000 jamais utilisé --> never used
objcopy: --change-section-vma .cmdline=0x0000000000030000 jamais utilisé --> never used
objcopy: --change-section-vma .osrel=0x0000000000020000 jamais utilisé --> never-used
==> ERROR: UEFI executable generation FAILED”

I looked in mkinitcpio’s command (I am not good in shell script either), the problem seems to come from the “build_uefi()” function. It begins (even before the “kernel image” line) with something about a stub which looks mandatory given the objcopy further, and it looks for the stub in /usr/lib/{systemd or gummiboot}. I do not have any of these and strangely, it does not warn me with the message: “UEFI stub '%s' not found" "$uefistub”.

I could not find anything with “UEFI executable generation FAILED” on the web apart from Archlinux’s mkinitcpio file on GitHub (which is probably the same as mine).

Do someone have any idea for implementing a secure boot, does the problem comes from that missing stub (the objcopy manual looks like it needs an infile)?

Thanks in advance.

Re: mkinitcpio fail to generate an UEFI executable

Reply #1
I succeeded to generate an executable by copying a stub from another Linux ISO, but with this unified kernel image, the boot gets stuck with secure boot enabled and disabled (it looks like it is correctly signed though, I do not have any error anymore).
I had to rename the executable from bootx64.efi to grubx64.efi because I had the error message “Failed to (open|load image) EFI\LINUX\grubx64.efi - Not found”. So I think it has something to do with the stub I took from elsewhere, maybe there there are some hard-coded paths into the stub which somehow initialized my image with it.

Edit: I now used what I think is the stub from Artix Linux ISO, I was not sure it was that as its size is way smaller. I do not have any warning about signature, but it still looks like it tries to launch GRUB. I get a “Welcome to GRUB” screen with most of the content of /etc/os-release and that’s it.

So now, my question would rather be: Is it the stub which initialize some paths to GRUB? If yes, how do we get a virgin stub without systemd, is it only possible by compiling the kernel (or maybe a part of the source)?

Re: mkinitcpio fail to generate an UEFI executable

Reply #2
I am currently facing the exact same issue.
I have confirmed that in fact $uefistub does not get set as none of the paths {/usr,}/lib/{systemd/boot/efi,gummiboot}/linux{x64,ia32}.efi.stub apply.
This causes objcopy to fail as it is later called via:
Code: [Select]
    objcopy \
        --add-section .osrel="$osrelease" --change-section-vma .osrel=0x20000 \
        --add-section .cmdline=<(grep '^[^#]' "$cmdline" | tr -s '\n' ' ') --change-section-vma .cmdline=0x30000 \
        --add-section .linux="$kernelimg" --change-section-vma .linux=0x2000000 \
        --add-section .initrd=<(cat ${microcode[@]} "$initramfs") --change-section-vma .initrd=0x3000000 \
        ${OBJCOPYARGS[@]} "$uefistub" "$out"
with "$uefistub" still being ''

Installing efistub-standalone should take care of the missing file.
I did not try to boot it yet but at least mkinitcpio did not complain anymore.

 

Re: mkinitcpio fail to generate an UEFI executable

Reply #3
Yep can confirm, booted both linux and linux-hardened and both booted fine.

Like it was said in the last post, all you have to do is install the missing files from this AUR package: https://aur.archlinux.org/packages/efistub-standalone