Bug ID 1175980
Summary chainloading is broken with the new shim
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Bootloader
Assignee screening-team-bugs@suse.de
Reporter nwr10cst-oslnx@yahoo.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Build Identifier: 

I have Ubuntu-20 and Tumbleweed 20200829 installed side by side in a KVM
virtual machine.

I also have Jump 15.2 and Tumbleweed installed side by side in a different VM. 
Note that Jump 15.2 uses the SUSE shim rather than the openSUSE shim.

I will describe what I am seeing for the ubuntu case.  I see similar problems
in both of those virtual machines.

If I allow Ubuntu to control the booting, then it cannot boot Tumbleweed.  If I
allow Tumbleweed to control the booting, then it cannot boot Ubuntu.

I added an entry to the Tumbleweed boot menu to chainload to the Ubuntu shim. 
The idea was that this would allow booting Ubuntu from the Tumbleweed boot
menu.  In that past that used to work.  Now it does not work, and gives a "bad
signature" error.

I tried it the other way.  That is, I added an entry to the Ubuntu boot menu to
chainload the openSUSE shim.  That also does not work (gives a bad signature
error).

I should not that if I disable secure-boot, then these all work.  I used that
to test the boot menu entry.  But with secure-boot enabled, they do not work.

Next, I tried importing the Tumbleweed shim certificate ("4659838C-shim.crt")
while running Ubuntu.  With that change, the Ubuntu direct menu entry for
Tumbleweed now works.  But the menu entry to chainload to the Tumbleweed shim
still does not work.

Hmm, I should explain "does not work".

When I use the chainload menu entry, that seems to work.  It brings up the
expected menu.  So if I chainload from Tumbleweed to Ubuntu, I do see the
Ubuntu boot menu.  But when I attempt to boot Ubuntu, I get the "bad signature"
error as the kernel is loaded.

Similarly, if I chainload from Ubuntu to Tumbleweed (and set the boot order to
prefer Ubuntu), then the chainload brings up the Tumbleweed boot menu.  But if
I attempt to boot Tumbleweed, I get the "bad signature" error as the kernel is
loaded.  After importing the Tumbleweed shim certificate, that error message
changes to "System is compromised. halting"

The Ubuntu files (in "\EFI\ubuntu") have dates from last April.  I'm guessing
it is the openSUSE changes that are causing the problems in both directions.

Reproducible: Always

You are receiving this mail because: