Comment # 22 on bug 1185441 from
(In reply to Tiago Marques from comment #21)
> (In reply to Gary Ching-Pang Lin from comment #18)
> > (In reply to Tiago Marques from comment #17)
> > > (In reply to Gary Ching-Pang Lin from comment #16)
> > > > (In reply to Tiago Marques from comment #15)
> > > > > (In reply to Gary Ching-Pang Lin from comment #13)
> > > > > > (In reply to Tiago Marques from comment #12)
> > > > > > > Hi,
> > > > > > > 
> > > > > > > I've been hit by this for some months now. Every Grub2 update, I get the
> > > > > > > same message as OP.
> > > > > > > Not sure which grub package is to blame and I'm using EFI and secure boot.
> > > > > > > 
> > > > > > > I've managed to (twice) solve the issue by booting a live USB, chrooting and
> > > > > > > then running 'shim-install'.
> > > > > > > 
> > > > > > > Not sure where the bug is or if this helps. I'm available to test other
> > > > > > > things out to help fix this.
> > > > > > 
> > > > > > Before upgrading "shim", could you try "mokutil --enable-validation" and
> > > > > > reboot the system to clean up MokSBState?
> > > > > 
> > > > > Tried but the command is asking me for a password. I have no password set on
> > > > > the BIOS. Is this the expected behavior?
> > > > 
> > > > That's a password used to verify physical access when modifying MokSBState
> > > > variable. During the next boot, MokManager will ask if you want to "Change
> > > > Secure Boot state" and randomly ask 3 characters of the password you set.
> > > > It's an one-time password and will be dropped after use.
> > > 
> > > After doing that, got an unbootable system with the the same "system is
> > > compromised message".
> > > 
> > What's the version of shim in the system? Could you try
> > 
> > 1) downgrade shim with the following rpm
> > http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152.
> > 4.6.1.x86_64.rpm
> > 
> > 2) mokutil --enable-validation
> > 
> > 3) reboot the system to clear MokSBState
> > 
> > 4) upgrade shim to 15.4 again and reboot the system to see if the issue
> > persists
> > 
> > > Tried to restore the same way as before, but the OpenSUSE live USB was also
> > > unbootable w/ messages:
> > > 
> > > ---
> > > Failed to open \EFI\BOOT\MokManager.efi - Not Found
> > > Failed to load image \EFI\BOOT\MokManager.efi: Not Found
> > > Failed to start MokManager: Not Found
> > > Something has gone seriously wrong: import_mok_state() failed
> > > : Not Found
> > > ---
> > > 
> > It seems the request for MokSBState wasn't handled, and MokManager.efi
> > wasn't in Live USB so that shim cannot handle the request.
> > 
> > > I managed to select an option to run "UEFI Application", manually select
> > > 'shim.efi' from the boot drive and get into the OS.
> 
> Tried this to no avail.
> 
> Also tried changing the SB state through the Shim management options but it
> fails with error "Failed to changed SB state".
> 
> Running shim through UEFI programs still works and "shim-install" then fixes
> the boot issue.
> 
> $ mokutil --list-enrolled
> MokListRT is empty
> 
> Could this be related?

The empty MokListRT sounds similar to bsc#1185528. It seems that shim failed to
mirror the keys for some reason.


You are receiving this mail because: