http://bugzilla.opensuse.org/show_bug.cgi?id=963919 Bug ID: 963919 Summary: System shut down after booting with "Boot from Hard Disk" Classification: openSUSE Product: openSUSE Tumbleweed Version: 2015* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: glin@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- Steps to reproduce: 1. Make sure Secure Boot is enabled in the firmware and openSUSE is already installed in the machine. 2. Boot the "Tumbleweed" DVD and select "Boot from Hard Disk" 3. Select "openSUSE Tumbleweed" 4. The system showed "Bootloader has not verified loaded image." and shut down. It's caused by the multiple shim protocols installed in the system. For security reason, shim replaced a set of BootService functions, LoadImage, StartImage, and ExitBootServices, to make sure the bootloaders afterward really check the signatures of other UEFI images. To avoid multiple shim being installed, shim uninstalls its own protocol in StartImage. In this case, the boot path is: shim.efi(DVD) -> grub.efi(DVD) -> shim.efi(HDD) -> grub.efi(HDD) -> linux kernel | | +- shim protocol(#0) | BootService functions(#0) | +- shim protocol(#1) BootService functions(#1) Since shim and grub implemented their own version of StartImage, so no one invoked StartImage and shim.efi(DVD) never uninstalled its protocol, and grub.efi(HDD) invoked shim protocol(#0). Since linux kernel inherited systab from grub.efi(HDD) which inerited systab from shim.efi(HDD), so the kernel invoked ExitBootServices from BootService functions(#1). Thus, shim.efi(HDD) thought the bootloader never verified the other images and shut down the system. There is a quick fix: load /efi/opensuse/grub.efi instead of /efi/opensuse/shim.efi. I'll also raise this issue to shim upstream to fix it properly. -- You are receiving this mail because: You are on the CC list for the bug.