[Bug 963919] New: System shut down after booting with "Boot from Hard Disk"
http://bugzilla.opensuse.org/show_bug.cgi?id=963919 Bug ID: 963919 Summary: System shut down after booting with "Boot from Hard Disk" Classification: openSUSE Product: openSUSE Tumbleweed Version: 2015* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: glin@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- Steps to reproduce: 1. Make sure Secure Boot is enabled in the firmware and openSUSE is already installed in the machine. 2. Boot the "Tumbleweed" DVD and select "Boot from Hard Disk" 3. Select "openSUSE Tumbleweed" 4. The system showed "Bootloader has not verified loaded image." and shut down. It's caused by the multiple shim protocols installed in the system. For security reason, shim replaced a set of BootService functions, LoadImage, StartImage, and ExitBootServices, to make sure the bootloaders afterward really check the signatures of other UEFI images. To avoid multiple shim being installed, shim uninstalls its own protocol in StartImage. In this case, the boot path is: shim.efi(DVD) -> grub.efi(DVD) -> shim.efi(HDD) -> grub.efi(HDD) -> linux kernel | | +- shim protocol(#0) | BootService functions(#0) | +- shim protocol(#1) BootService functions(#1) Since shim and grub implemented their own version of StartImage, so no one invoked StartImage and shim.efi(DVD) never uninstalled its protocol, and grub.efi(HDD) invoked shim protocol(#0). Since linux kernel inherited systab from grub.efi(HDD) which inerited systab from shim.efi(HDD), so the kernel invoked ExitBootServices from BootService functions(#1). Thus, shim.efi(HDD) thought the bootloader never verified the other images and shut down the system. There is a quick fix: load /efi/opensuse/grub.efi instead of /efi/opensuse/shim.efi. I'll also raise this issue to shim upstream to fix it properly. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=963919
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=963919
http://bugzilla.opensuse.org/show_bug.cgi?id=963919#c1
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=963919
http://bugzilla.opensuse.org/show_bug.cgi?id=963919#c3
Gary Ching-Pang Lin
You mean like this?:
Yes, this should work:) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=963919
http://bugzilla.opensuse.org/show_bug.cgi?id=963919#c5
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=963919
http://bugzilla.opensuse.org/show_bug.cgi?id=963919#c6
--- Comment #6 from Andrei Borzenkov
*** Bug 973745 has been marked as a duplicate of this bug. ***
As shown in this bug, same problem also happens when chainloading shim from other OS, in which case this workaround is not possible (we cannot directly chainload foreign bootloader). We can workaround it in grub2 by attempting LoadImage/StartImage first which should cover another shim case. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=963919
http://bugzilla.opensuse.org/show_bug.cgi?id=963919#c7
--- Comment #7 from Gary Ching-Pang Lin
participants (1)
-
bugzilla_noreply@novell.com