Search

Resolving UEFI Integrity Errors with GRUB Configuration

Alexander Hill
Alexander Hill
  • Updated

Problem Overview

This knowledge base article addresses a common Linux boot error that appears in kernel logs (dmesg):

[ 0.965585] integrity: Error adding keys to platform keyring UEFI:db
 

This error occurs during the boot process when the kernel attempts to add UEFI Secure Boot keys to the platform keyring but encounters problems, typically related to UEFI Secure Boot validation.

Root Cause

The error typically stems from one of the following issues:

  • Mismatched or invalid UEFI Secure Boot keys
  • Incompatibility between the Linux kernel and the UEFI firmware
  • Conflicts between hardware and the UEFI Secure Boot implementation
  • Outdated or misconfigured UEFI firmware

Solution: Disabling EFI Runtime Services via GRUB

A proven solution is to add the noefi parameter to your kernel command line through GRUB configuration. This parameter instructs the kernel not to use EFI runtime services, effectively bypassing the UEFI secure boot verification that causes the error.

Implementation Steps

  1. Edit the GRUB Configuration File:
     
    sudo vi /etc/default/grub
     
     
  2. Modify the Following Parameters:
     
    GRUB_DEFAULT=0
    GRUB_TIMEOUT_STYLE=hidden
    GRUB_TIMEOUT=0
    GRUB_DISTRIBUTOR='lsb_release -i -s 2> /dev/null || echo Debian'
    GRUB_CMDLINE_LINUX_DEFAULT="kpti=off noefi quiet"
    GRUB_CMDLINE_LINUX=""
    The key modification here is adding noefi to the GRUB_CMDLINE_LINUX_DEFAULT parameter.
     
  3. Update GRUB:
     
    sudo update-grub
  4. Reboot the System:
     
    sudo reboot

Parameter Explanation

  • noefi: Disables EFI runtime services in the kernel, preventing the "integrity: Error adding keys to platform keyring UEFI
     
    " message by avoiding the UEFI Secure Boot validation process entirely.
  • Additional parameters in the example configuration:
    • kpti=off: Disables Kernel Page Table Isolation (note: this is unrelated to the UEFI error but included in the example configuration)
    • quiet: Reduces boot-time messages (optional, for cleaner boot experience)

Trade-offs and Considerations

Advantages

  • Eliminates the UEFI
     
    error message
  • Allows the system to boot without UEFI-related interruptions
  • Can improve boot time slightly by skipping UEFI runtime services

Disadvantages

  • Disables all EFI runtime services, which might be needed for some hardware features
  • May affect system suspend/resume on certain hardware
  • Bypasses Secure Boot protections, potentially reducing system security

Alternative Solutions

If disabling EFI runtime services is not desirable, consider these alternatives:

  1. Update UEFI firmware (BIOS) to the latest version
  2. Disable Secure Boot in UEFI/BIOS settings
  3. Enroll proper keys in the UEFI firmware if using custom kernels
  4. Update the kernel to a version that might have fixed compatibility issues

When to Apply This Solution

This solution is recommended when:

  • The error message appears consistently in dmesg output
  • The system experiences boot issues related to UEFI Secure Boot
  • Other solutions like BIOS updates haven't resolved the issue
  • The system doesn't critically depend on UEFI runtime services

Verification

To verify the solution has worked:

  1. Reboot the system
  2. Check dmesg output:
     
    dmesg | grep -i integrity
     
  3. The error message should no longer appear

Reverting Changes

If issues arise after applying this change, return to the original configuration:

  1. Edit /etc/default/grub again
  2. Remove noefi from GRUB_CMDLINE_LINUX_DEFAULT
  3. Run sudo update-grub
  4. Reboot

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.