Michael Chang changed bug 1185441
What Removed Added
CC   glin@suse.com
Flags   needinfo?(glin@suse.com)

Comment # 4 on bug 1185441 from
I can reproduce the error. It appears that the secure boot validation has been
disabled through MokManager, but shim still insist to enforce it and spew
"system is compromised ..." when grub is told to skip shim_lock to honor the

The step to reproduce:

(Secure Boot Standard Mode in firmware)
1. mokutil --disable-validation
2. reboot
3. Press Down and Enter in shim menu to *Change secure boot state*
4. Enter three password characters.
5. Press y and Enter to confirm *disabling* Secure Boot
6. Press any key to reboot system (reboot)
7. "Bootloader has not verified loaded image. System is compromised, halting"
logged on screen when trying to boot linux kernel

Also we can observe whether secure boot validation has been disabled via
examining the MokSBStateRT variable. 

 cd /sys/firmware/efi/efivars
 hexdump -C MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
 00000000  06 00 00 00 01                                    |.....|

"1" means secure boot validation disabled, in other words putting shim in
"insecure" mode intentionally to allow booting unsigned image even if secure
boot is enabled in firmware. 

It then looks like shim issue to me ...

Gary did you have any idea ? Thanks.

You are receiving this mail because: