[Bug 990650] New: shim.efi with two signatures does not boot with SecureBoot enabled on recent ASUS laptop.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 Bug ID: 990650 Summary: shim.efi with two signatures does not boot with SecureBoot enabled on recent ASUS laptop. Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: bpesavento@infinito.it QA Contact: jsrain@suse.com Found By: --- Blocker: --- Created attachment 685586 --> http://bugzilla.opensuse.org/attachment.cgi?id=685586&action=edit DMI decode for ASUS N551JW Testing Leap 42.2 Alpha3 on ASUS N551JW I had to install with SecureBoot disabled. The installed system didn't boot with SecureBoot enabled until I stripped the second signature from shim.efi according to the procedure outlined in https://en.opensuse.org/openSUSE:UEFI This is mainly to document that a recent firmware from a major manufacturer still has the "single signature" restriction, contrary to common belief (see attached DMI decode). Personally, I can live without SecureBoot. The same problem affects Leap 42.1 (current shim.efi are the same AFAIK). Further info here: https://forums.opensuse.org/showthread.php/519105-Unable-to-test-Leap-42-2-A... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650
http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c1
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=990650
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=990650
Ludwig Nussel
http://bugzilla.opensuse.org/show_bug.cgi?id=990650
http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c3
--- Comment #3 from Bruno Pesavento
http://bugzilla.opensuse.org/show_bug.cgi?id=990650
http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c6
--- Comment #6 from Bruno Pesavento
Hi Bruno,
I probably couldn't do anything to the firmware in this case and would like to close this bug as WONTFIX.
You could drop ASUS a mail and point them to this edk2 commit: https://github.com/tianocore/edk2/commit/ 6de4c35f99f05f1d956538852c1cf003883043fd
Hope they didn't miss any security fixes in recent years...
That's OK with me, but maybe an optional shim_stripped.efi with one signature only might be included, as was on OS 12.x IIRC, so copying it to /boot/efi is easier than having to strip the OpenSUSE signature beforehand. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650
http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c7
--- Comment #7 from Bruno Pesavento
participants (1)
-
bugzilla_noreply@novell.com