I need to re-install grub (to fix the boot-hole security issue).
I don't want to make a mistake, and because I'm not very comfortable with grub, I ask myself if there is a way to find the grub-install command which was used to install the current grub on the machine.
Thanks for your help.
Environment : Grub 2, Manjaro (Arch linux), EFI boot
Run efibootmgr -v as root. The first line will be BootCurrent: NNNN where NNNN is a hexadecimal four-digit number.
Find the corresponding "BootNNNN" line. It will look similar to this:
BootNNNN* Manjaro HD(X,GPT,11111111-2222-3333-4444-555555555555,0x800,0x82000)/File(\...\something.efi)
NNNN is the number from the first line,Manjaro is the human-readable boot item description string (can be anything),X is the number of the disk in the order detected by the UEFI firmware,11111111-2222-3333-4444-555555555555 is the PARTUUID of the EFI System Partition the bootloader is installed into,\...\something.efi is a Windows-style path name on the EFI System Partition, identifying the bootloader file to use. With GRUB + Secure Boot, it is usually shimx64.efi, shim.efi or something similar, referring to the Secure Boot shim bootloader, which will then load the file named grubx64.efi in the same directory.The EFI System Partition might be mounted as /boot/efi, or /boot, or not mounted at all; different distributions do things differently here. If it's mounted at /boot/efi, run ls -l /boot/efi/EFI/BOOT/BOOTX64.efi and compare the length of that file to the file at the bootloader path identified by efibootmgr -v: if they match, you'll know that you probably should update the fallback bootloader too. (Remember this - more about it later.)
Once you know the PARTUUID, you will be able to use blkid or lsblk -o +PARTUUID to identify the Linux device name corresponding to the EFI System Partition (ESP for short). Now you'll have all the pieces you need to reconstruct the grub-install command.
However, with Secure Boot, the first "bootloader" registered to the system NVRAM will actually be the Secure Boot shim, not GRUB. You don't want to change this fact.
So, you'll probably want to use the --no-nvram option to avoid changing your NVRAM boot variables. As a result, the command to re-install GRUB should be:
grub-install --no-nvram /dev/<the disk device corresponding to your ESP partition>
If GRUB is currently also installed into the fallback bootloader path \EFI\BOOT\BOOTX64.efi on the ESP, you'll want to add the --force-extra-removable option to the grub-install command, so it will update that too.
Note that if you are using the Secure Boot shim bootloader, it will be important to update the shim on the ESP too. Before rebooting the system, verify that both the GRUB and the shim on the ESP have recent enough timestamps. Anything after 2020-07-28 should be good. If the shim package won't update the shim file on the ESP automatically, you can just find the updated shim wherever the package installation procedure puts it, and copy it over the old shim on the ESP.
With Secure Boot and GRUB, the typical layout of the ESP would be like this:
<ESP mountpoint>/EFI/<name of distro>/grubx64.efi = the actual GRUB<ESP mountpoint>/EFI/<name of distro>/shimx64.efi = the Secure Boot shim<ESP mountpoint>/EFI/BOOT/BOOTX64.efi = the fallback boot copy of the shim<ESP mountpoint>/EFI/BOOT/grubx64.efi = the fallback boot copy of GRUBThe paths with the <name of distro> component are generally supposed to be the primary bootloader, but the fallback copy will be useful if the system "forgets" the NVRAM settings for any reason, like with a UEFI firmware update that resets all the firmware settings (aka "BIOS settings") to factory defaults.
You don't need to reinstall GRUB to fix this vulnerability. Simply updating the package should be enough. If GRUB is the only boot loader you might want to update your /boot/efi/EFI/Boot/BOOTX64.EFI - grub-install will not do that.
Also grub-install is meant for old-style MBR systems, it's not really needed any more on UEFI enabled devices.
To be extra sure please check the dates of your grub files in /boot/efi/EFI. Since I'm not sure where the files are installed, please run this command and post its output
find /boot \( -iname grubx64.efi -o -iname 'shim*.efi' \) -exec ls -l '{}' \;
Fixes Boot-Hole issue. You need to re-install grub on your system to complete the security fix with a links to a their wiki.
https://forum.manjaro.org/t/stable-update-2020-08-16-kernels-plasma-kde-framework-systemd-pamac-virtualbox-firefox/1303
– fabien-michel
Aug 17 '20 at 12:51
-rwxr-xr-x 1 root root 123904 30 déc. 2018 /boot/efi/EFI/Manjaro/grubx64.efi
– fabien-michel
Aug 17 '20 at 13:14
/usr instead of /boot. Maybe you'll have to ask the same question on Manjaro's own forums. I don't know how Arch packages get updated exactly. Also if the package has been updated but this file hasn't been - it might indicate a serious bug which needs to be resolved.
– Artem S. Tashkinov
Aug 17 '20 at 13:34
pesign -S -i filename.efishows the name of the certificate used in signing the.efifile, if the file is signed for Secure Boot. – telcoM Aug 17 '20 at 14:36No signature found! thanks again – fabien-michel Aug 17 '20 at 15:09