[Bug 973745] New: Shim chainloaded by grub2 fails to load kernel
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
Bug ID: 973745
Summary: Shim chainloaded by grub2 fails to load kernel
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: Other
Status: NEW
Severity: Major
Priority: P5 - None
Component: Bootloader
Assignee: mchang@suse.com
Reporter: arvidjaar@gmail.com
QA Contact: jsrain@suse.com
CC: glin@suse.com, pjones@redhat.com
Found By: ---
Blocker: ---
This was discussed on opensuse mailing list, but user has troubles with
bugzilla account so I report it for him.
User tries to chainload Mint (Ubuntu) shim from TW grub2. This works and user
gets Mint grub2 menu, but attempt to load Mint kernel fails with
Bootloader has not verified image.
System is compromised
Chainloading in reverse direction (chainload TW shim from Mint grub2) works.
As far as I can tell, this is caused by this shim patch:
commit 7ad94952cdfbf417501d2053368d1e831097fea8
Author: Peter Jones
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c1
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c2
--- Comment #2 from Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c3
--- Comment #3 from Andrei Borzenkov
bootloader(2) -> tries to call ExitBootServices and launch kernel
This looks odd, because ExitBootServices is not called by linuxefi by using handover protocol. It's supposed to get called within kernel's efi stub.
Yes, you are of course right, thank you for correction. But it does not matter whether bootloader or kernel call ExitBootServices, because shim(1) will in both cases simply display error message and reset system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c4
--- Comment #4 from Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c5
--- Comment #5 from Andrei Borzenkov
Ah, I think it's BS->Exit() and not the BS->ExitBootService().
Sorry? /* we need to hook ExitBootServices() so a) we can enforce the policy * and b) we can unwrap when we're done. */ system_exit_boot_services = systab->BootServices->ExitBootServices; systab->BootServices->ExitBootServices = exit_boot_services; -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c6
--- Comment #6 from Michael Chang
(In reply to Michael Chang from comment #4)
Ah, I think it's BS->Exit() and not the BS->ExitBootService().
Sorry?
I was referring to commit 7ad94952cdfbf417501d2053368d1e831097fea8 that you pointed could be the cause.
/* we need to hook ExitBootServices() so a) we can enforce the policy * and b) we can unwrap when we're done. */ system_exit_boot_services = systab->BootServices->ExitBootServices; systab->BootServices->ExitBootServices = exit_boot_services;
Admittedly I don't really understand shim that much to answer, let's wait for Gary's response to your comments. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c7
--- Comment #7 from Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c8
Andrei Borzenkov
The bug looks similar to bug#963919 to me.
Yes, it is the same bug. But in this case we do not have luxury of chainloading Ubuntu grub as we cannot verify it. @Michael, I still think that grub2 chainloader should really try LoadImage/StartImage first and only if this fails with EFI_SECURITY_VIOLATION attempt current code. This will sidestep this issue at least for the common case of chainloading another OS. Marking as duplicate then. *** This bug has been marked as a duplicate of bug 963919 *** -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=973745
http://bugzilla.opensuse.org/show_bug.cgi?id=973745#c9
--- Comment #9 from Michael Chang
(In reply to Gary Ching-Pang Lin from comment #7)
The bug looks similar to bug#963919 to me.
Yes, it is the same bug. But in this case we do not have luxury of chainloading Ubuntu grub as we cannot verify it.
@Michael, I still think that grub2 chainloader should really try LoadImage/StartImage first and only if this fails with EFI_SECURITY_VIOLATION attempt current code. This will sidestep this issue at least for the common case of chainloading another OS.
I don't know. Is this an attempt to workaround shim bug ? If so I think Gary is now investigating and we should wait for him. If not for workaround, why would LoadImage works while shim_verify not? In my understanding LoadImage() would fail unless keys are in kek/db. I think mint are using MOK so that LoadImage should always fail (It it works this case then that's interesting ..). Finally shim may provide hooks for LoadImage/StartImage in the build but we don't want to use it, because it depends on protocol defined in PI (!UEFI) spec and as I last heard from Gary, it is not ready yet ... Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com