[Bug 809038] New: EFI problems - cannot boot windows with secure boot
https://bugzilla.novell.com/show_bug.cgi?id=809038 https://bugzilla.novell.com/show_bug.cgi?id=809038#c0 Summary: EFI problems - cannot boot windows with secure boot Classification: openSUSE Product: openSUSE Factory Version: 13.1 Milestone 0 Platform: x86-64 OS/Version: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader AssignedTo: jsrain@suse.com ReportedBy: nrickert@ameritech.net QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 I managed to find the iso for the final release a day early. This is based on a DVD install from the final release. Two problems here - perhaps this needs to be split into two reports. Problem 1: I think this is a problem, but I'm not sure. The installer wanted to format the efi partition. In my case, that's not a problem because I have two disks and only opensuse was on the partition that it wanted to format. But I think that would be a disaster for dual booting with Windows on a single partition. Problem 2: There's a grub2-efi menu entry for booting Windows. But it does not work if secure boot is enabled. It is fine if secure boot is disabled. Here's the error message from the UEFI BIOS: File: \EFI\Microsoft\Boot\BCD Status: 0xc000000f Info: The Boot Configuration Data for your PC is missing or contains errors If I hit F12 during boot, and select Microsoft for booting, that works fine. But booting with the grub menu fails as above (unless I disable secure boot). The grub menu entry contains: chainloader /efi/Microsoft/Boot/bootmgfw.efi When I mount the EFI partition from the windows disk, and run a find for files with name *.efi, I get the following list: EFI/Microsoft/Boot/bootmgfw.efi EFI/Microsoft/Boot/bootmgr.efi EFI/Microsoft/Boot/memtest.efi EFI/Boot/bootx64.efi EFI/Dell/Boot/bootmgfw.efi EFI/Dell/Boot/bootmgr.efi EFI/Dell/Boot/bootx64.efi EFI/Dell/Boot/memtest.efi I am guessing that grub is picking the wrong one of those. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c1
Jiri Srain
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c2
--- Comment #2 from Michael Chang
Formatting is correct (there are even distros doing that on every bootloader update). There is nothing preventing you from having multiple boot partitions for multiple operating systems.
Re Windows boot: Michael, can you find out if it is GRUB2 issue or installer issue?
I don't know, :( probably it's windows loader refused to boot from secure boot enabled mode .. that (error) message is not part of grub2 and I thought grub2 started window loader already and things|trouble belongs to windows loader's realm ... To be sure that the chainloaded image is the one used by secure boot .. could you please help to dump .. $ efibootmgr -v Let's see which loader we have to use ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c3
--- Comment #3 from Michael Chang
Here's the error message from the UEFI BIOS:
File: \EFI\Microsoft\Boot\BCD Status: 0xc000000f Info: The Boot Configuration Data for your PC is missing or contains errors
Blame to microsoft? http://www.forumswindows8.com/windows-updates-activation/cant-boot-windows-7... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c4
Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c5
--- Comment #5 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c6
--- Comment #6 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c7
Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c8
--- Comment #8 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c9
--- Comment #9 from Michael Chang
Created an attachment (id=529547) --> (http://bugzilla.novell.com/attachment.cgi?id=529547) [details] Output of "efibootmgr -v" with secure boot enabled.
This is the "efibootmgr -v" output when secure boot is enabled.
Interesting that we see boot config feed to windows loader via the command options .. Boot0004* Windows Boot Manager HD(1,800,fa000,a0547a0a-57c0-405d-b6b9-a01ca4839f0f)File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}... ................ My guess, when secure boot enabled, windows will protect it's boot config from altered and refuse to boot if any validation failed. When chainload by grub2 (or any other chainloader ..) without a explicit bcd passed it refused to process .. So we don't know how to fix this as apparently we can't debug proprietary software to know what the hell they are doing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c10
--- Comment #10 from Michael Chang
Created an attachment (id=529544) --> (http://bugzilla.novell.com/attachment.cgi?id=529544) [details] Output of "efibootmgr -v" when secure boot is disabled.
When asking for this output, you probably should specify whether you want it with secure boot enabled or disabled.
Thanks. Next time I will. But in general the secureboot enable|disable shouldn't affect the efibootmgr -v result unless your firmware doing something nasty .. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c11
--- Comment #11 from Michael Chang
When I attempt to boot Windows, is anything checking the Windows signature?
Yes. chainloader will check image's signature if secure boot enabled and won't start any image that is without signature, with wrong signature not trusted by DB or MOK. The exact same mechanism how shim checks grub and grub checks kernel. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c13
Alberto Planas Dominguez
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c14
--- Comment #14 from Alberto Planas Dominguez
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c
Jeffrey Cheung
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c16
Neil Rickert
May I suggest to Neil to confirm the MD5 or SHA1 of the DVD? I see the Problem#1 behavior in pre Build-094 images, but not before.
I checked the PGP signature of the download. I installed it on a USB using "dd_rescue", which seems to do error checking. It reported 0 errors. -------- A quick note: I see this bug flagged as NEEDINFO. I thought that I checked the box to clear that when I provided attachments. Perhaps something went wrong. I'm not seeing anything else that I'm supposed to provide. So I'll clear that again with this comment. If there is still information needed, please repeat the request so that I know what is expected. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c17
--- Comment #17 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c18
--- Comment #18 from Thomas Fehr
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c19
--- Comment #19 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c20
--- Comment #20 from Neil Rickert
From memory, let me repeat what happened:
The installer proposed partitioning, which included reformatting "/dev/sdb1" (the efi partition on that disk). I imported my old partitioning. As best I recall, it still wanted to reformat "/dev/sdb1". I considered changing that, but allowed it to go through since Windows is on a different disk. I don't recall checking whether it proposed to reformat "/boot" ("/dev/sdb2"), but I think it didn't. And that is probably another bug. Note that I am using an encrypted LVM, which is why there's a separate "/boot". I looked at "/boot", and it still contains the kernels and initrd files from RC2, which I take to be clear evidence that "/boot" was not reformatted. I should have noticed that during the install, but I was careless. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c21
--- Comment #21 from Thomas Fehr
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c22
Andrey Borzenkov
Formatting is correct
No, this is wrong. ESP is shared resource. If you select existing ESP, you should *NOT* try to format it.
(there are even distros doing that on every bootloader update).
If you chose to *create* new partition for ESP, then formatting it is of course needed. But you should not format it if you select *existing* ESP.
There is nothing preventing you from having multiple boot partitions for multiple operating systems.
Having multiple ESP on the same disk is not clearly defined in specs and is known to cause problems in some cases. Actually 12.3 changed default from always creating private ESP (as was in 12.2) to selecting existing one if available. (In reply to comment #0)
Two problems here - perhaps this needs to be split into two reports.
Yes, it needs. ESP formatting is YaST2 and secure boot is bootloader. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c23
--- Comment #23 from Andrey Borzenkov
It seems to me that the way Windows should be booted, is that grub should tell the UEFI boot manager to select Windows on the next boot, and then it should do a reset to force a new boot. Otherwise, I think suspect that the security of the Windows booting is not checked.
It's not possible to do right now, but somebody else asked about support for EFI variables in grub2. Adding commands to read/write them is relatively trivial and allows grub2 to set one time next boot entry and reboot.(In reply to comment #9)
(In reply to comment #7)
My guess, when secure boot enabled, windows will protect it's boot config from altered and refuse to boot if any validation failed. When chainload by grub2 (or any other chainloader ..) without a explicit bcd passed it refused to process ..
We can extract information from EFI boot variable, I'm just not sure how to pass what is effectively binary object (EFI is using UTF-16 unless I'm mistaken) via grub.cfg. It sounds like extra reboot is probably the most simple solution. (In reply to comment #17)
This is partly guessing. I think I can surmise what is happening.
In my case, there are two hard drives - call the Drive-0 and Drive-1. Window 8 is on Drive-0, and opensuse is on Drive-1.
So you have two ESP, one on each disk?
What seems to be happening, is that the Windows boot is looking for its BCD on Drive-1 rather than on Drive-0.
You can easily test it by reinstalling grub2 on the first disk, where windows is located, and booting from it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c24
--- Comment #24 from Neil Rickert
From comment 22: (In reply to comment #0)
Two problems here - perhaps this needs to be split into two reports.
Yes, it needs. ESP formatting is YaST2 and secure boot is bootloader.
I'm not sure of the proper way to split a bug report. I tried "Copy to New" but was not clear on how to proceed. So, instead, I have started a new bug report for the formatting issue: Bug 809853 Installer wanted to reformat EFI partition, and failed to reformant "/boot" Further discussion of the formatting problem should go there. The discussion of secure-boot related problems should stay here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c25
--- Comment #25 from Neil Rickert
You can easily test it by reinstalling grub2 on the first disk, where windows is located, and booting from it.
I'll probably do that later today, and report back on the results. Thanks for the rest of your feedback. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c26
--- Comment #26 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c27
--- Comment #27 from Andrey Borzenkov
Next, I tested booting Windows 8. And that worked fine.
It is not clear - did you try to boot Windows from grub2 menu? Was it successful?
Running "efibootmgr" from the rescue boot does not show any opensuse boot options.
Does your system offer "Boot from file" (often in "Boot maintenance" or "Boot manager" submenu) or access to EFI shell? Then you should be able to start grub2 directly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c28
--- Comment #28 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c29
--- Comment #29 from Neil Rickert
It is not clear - did you try to boot Windows from grub2 menu? Was it successful?
Yes, with grub2-efi installed in "/dev/sda1", I successfully booted Windows from the grub menu. Secure boot was enabled at the time. That was just before Windows removed the grub entry from nvram. I have since reinstalled grub in "/dev/sdb1" (for my original 12.3 install). I did this using the rescue image, mounting the various file systems, doing a "chroot", then getting into Yast (curses version) and reinstalling the booter. Yast seemed to have all of the defaults correct. That got me back to the earlier status, as reported at the start of this bug report. Namely, Windows appeared in the grub menu, but gave an error when trying to boot. I have since disabled secure boot, and now booting Windows works without problems, as long as I don't enable secure boot. Evidently UEFI is a can of worms, and is going to cause grief to linux users.
Does your system offer "Boot from file" (often in "Boot maintenance" or "Boot manager" submenu) or access to EFI shell?
No, I could not find a way to do that. There is a way to change the boot preference order for nvram boot entries. For that, there's a section "Hard Disk Drivers" with two entries (Currently opensuse-secure and Windows Boot Manager (if I recall correctly). Changing one of those automatically changes the other, so I think this is just setting the boot preference for existing entries. The only change that is possible, is selecting between the two names in each line. It is looking to me as if there can only be one entry with a particular name, so adding "opensuse-secure" to the first disk erased the corresponding entry for the second disk. And it is also looking as if there can be only one entry per physical disk. Adding "opensuse-secure" to the first disk apparently removed the entry for Window. And Windows (which still booted from grub menu) did not like that, and put its entry back, thereby erasing the entry for opensuse-secure. I am now thinking that if I want two opensuse installs, using the two EFI partitions (one per disk), then I should set only one of those to secure boot. That way, one will be called "opensuse-secure" and the other just "opensuse". Hopefully, that would avoid the name conflict. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c30
--- Comment #30 from Andrey Borzenkov
Responding to comment #27
It is not clear - did you try to boot Windows from grub2 menu? Was it successful?
Yes, with grub2-efi installed in "/dev/sda1", I successfully booted Windows from the grub menu. Secure boot was enabled at the time.
OK, so it is not extra boot parameters and must be path to image file. Could you show Windows menu entry? And output of /usr/sbin/grub2-probe --target=fs_uuid --device /dev/sdXX -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c31
--- Comment #31 from Neil Rickert
Could you show Windows menu entry?
This is from grub.cfg on the install that boots from second disk: ---- cut here ---- menuentry 'Windows Boot Manager (on /dev/sda1)' --class windows --class os $menuentry_id_option 'osprober-efi-960A-3282' { insmod part_gpt insmod fat set root='hd0,gpt1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 960A-3282 else search --no-floppy --fs-uuid --set=root 960A-3282 fi chainloader /efi/Microsoft/Boot/bootmgfw.efi } ---- end cut here ---- For the other install, the menu entry is identical, with the exception of the penultimate line, which is: chainloader /EFI/Microsoft/Boot/bootmgfw.efi I am doubting that the change from "efi" to "EFI" is why the second of those works, but I can manually edit grub.cfg and test it. While we are discussing grub.cfg, there's another discrepancy. I now have the two installed systems, and each has a grub.cfg entry to boot the other. But those entries do not specify an "initrd" in the command line. When I boot the alternate opensuse (the one supposedly booting from first disk), but using the grub menu from the one booting from the second disk, there is no plymouth splash, and the prompt for encrypted swap and home gets lost in the noise, though I did manage to boot it. During the brief time the system was booting the other way (from the grub in /dev/sda1), I never actually tested booting the alternative linux. But, without initrd, that would not have worked at all since that install depends on an encrypted LVM for which initrd is a requirement. So there's something wrong with the way that the alternative linux is being picked up for grub.cfg . I'll probably add a manual "configfile" entry as a workaround for that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c32
--- Comment #32 from Michael Chang
I am now thinking that if I want two opensuse installs, using the two EFI partitions (one per disk), then I should set only one of those to secure boot. That way, one will be called "opensuse-secure" and the other just "opensuse". Hopefully, that would avoid the name conflict.
If you want another openSUSE install in parallel, there's a tip to do that by setting the distributor in yast2 bootloader's loader option. For example setting it to "openSUSE_alt 12.3" (in replace of the proposed openSUSE 12.3) should give you corresponding entries opensuse_alt opebsuse_alt_secureboot In the boot manager and won't collide the entry names. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c33
--- Comment #33 from Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c34
--- Comment #34 from Neil Rickert
setting the distributor in yast2 bootloader's loader option.
Thanks for the suggestion. It had never occurred to me to change that. Comment #33:
Is you bios AMI ?
The computer is a Dell. The BIOS screen says: Aptio American Megatrends BIOS Revision A05 7/26/2012 -------- A general comment. I am trying to understand how to deal with the UEFI environment. It seems that many linux users are having problems. It seems that Windows does not play nicely with other systems. It also looks as if os-prober, as used in grub, is broken. Looking at grub.cfg for my secondary opensuse_alt, I notice that it use "linuxefi" with "initrdefi". But if I look at the main grub.cfg, its attempt to boot the secondary install using "linux" and no "initrd" clause at all. That's broken. I'll probably open a new bug report on that after some more investigation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c36
--- Comment #36 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c37
Andrey Borzenkov
OK, so it is not extra boot parameters and must be path to image file.
Root device was not correctly set in secureboot code path. @mchang: Michael, could you please help to test the fix. It needs proper signing, so I did not even publish repo. home:arvidjaar:bnc:809038/grub2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c38
--- Comment #38 from Andrey Borzenkov
It also looks as if os-prober, as used in grub, is broken. Looking at grub.cfg for my secondary opensuse_alt, I notice that it use "linuxefi" with "initrdefi". But if I look at the main grub.cfg, its attempt to boot the secondary install using "linux" and no "initrd" clause at all. That's broken. I'll probably open a new bug report on that after some more investigation.
Yes, please open separate bug report. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c39
--- Comment #39 from Neil Rickert
Yes, please open separate bug report.
Sorry, I forgot to mention that I have already reported this as Bug 810912 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c40
--- Comment #40 from Michael Chang
(In reply to comment #30)
OK, so it is not extra boot parameters and must be path to image file.
Root device was not correctly set in secureboot code path.
Oops . too bad.
@mchang: Michael, could you please help to test the fix. It needs proper signing, so I did not even publish repo.
home:arvidjaar:bnc:809038/grub2
This is tricky right now 1. It seems no way to retrieve the public certificate used to validate the signed image in the user's home project though the osc command or any other means. :( 2. Currently grub2 package only provides server signed binaries (whether signed by SUSE by user's own signkey) we may have to consider providing an unsigned image (say grub2-unsigned.efi) to make things easier for local signing. 3. pesign just aborts badly if --remove-signture (segv. fault).. What I wanted to do is to strip off the signatures in grub.efi and re-signing it with my own local key then end up with this unexpected fail. :( 4. Related to #3, current firmware don't play with multiple signed images so we can't sign an image multiple times. For the time being, I will try to branch your home project to create a unsigned grub2.efi to work my local signing and give the signed image and certificate to Neil for test. The wiki page has more elaborate about the (local) signing and (MOK) key enrolling process. (See booting a custom kernel) http://en.opensuse.org/openSUSE:UEFI -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c41
--- Comment #41 from Michael Chang
1: DO NOT use the EFI partition that is used by Windows. If necessary, create a new EFI partition for this. Otherwise Windows may erase your nvram entry.
It seems not Windows but the firmware erroneously erases the entry during reboot. I ever came across similar problem on a HP workstation with AMI firmware. When asking the AMI people they admit that's a problem but behavior, but they can't reproduce on their own so they conclude OEM's implementation is whom we have blamed on. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c42
--- Comment #42 from Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c43
--- Comment #43 from Andrey Borzenkov
- This step will install grub.efi signed by andrey's home project, you need to enroll his keys(cert.der) to MOK
Somehow I miss the step how to obtain it. The only thing I can get from OBS is PGP key. Is it possible to convert it into required certificate? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c44
Andrey Borzenkov
Somehow I miss the step how to obtain it. The only thing I can get from OBS is PGP key. Is it possible to convert it into required certificate?
OK, I see, you added it to package itself, it is just confusing that you call it grub.der and cert.cer in different places. Neil, if you feel like testing it 1. Add repo zypper ar bnc://arvidjaar:home:bnc:809308/standard bnc809308 zypper refresh bnc809308 zypper dup -r bnc809308 2. You will get /usr/lib64/efi/grub.der. You will need to enroll it in your firmware. May be you need to rename it to grub.cer, not sure. Michael? 3. Then you should be able to boot using new grub in secure mode and test Windows boot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c45
--- Comment #45 from Michael Chang
(In reply to comment #43)
OK, I see, you added it to package itself, it is just confusing that you call it grub.der and cert.cer in different places.
Arh.. stupid copy & paste errors. Please substitute cert.der and cert.cer into grub.der.
2. You will get /usr/lib64/efi/grub.der. You will need to enroll it in your firmware. May be you need to rename it to grub.cer, not sure. Michael?
Don't need to rename it. :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c46
--- Comment #46 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c47
--- Comment #47 from Michael Chang
Reply to comment 44
As it happens, the version of opensuse that I can directly boot is using my second hard drive for booting (for its efi partition). So I think I need to change that to:
chainloader (hd1,gpt1)/EFI/opensuse/MokManager.efi
Yes. you need to amend it according to your setup. Just to record here, normally the procedure shouldn't be so much hassle, all you need to do is install the mokutils package and run the command (forgive me if command isnt correct, just an illustration here) $ mokutil --enroll /usr/lib64/efi/grub.der $ reboot To get all things done. Unfortunately mokutil relies on newer efivars fs to work and that support is missing in openSUSE 12.3 kernel, so to use MokManager.efi as a workaround, enrolling key in a preOS env (the design of MokManager.efi is called by shim if no initial MOK present but can be used in general case as well). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c48
--- Comment #48 from Neil Rickert
It seems not Windows but the firmware erroneously erases the entry during reboot.
Yes, I believe to be true. During my testing, I reinstalled grub on my secondary installation of 12.3, putting it back into the Windows EFI partition, but with the name "opensuse_alt-secure". Immediately following that, I used "efibootmgr" and it showed both the Windows entry and the "opensuse_alt-secure" entry. (The entry for "opensuse-secure", using an EFI partition on the second drive was also there). I then booted into opensuse again. And, "efibootmgr" now showed that the Windows entry was missing. So it looks as if the efi firmware only allows one nvram entry per EFI partition, and enforces this on reboot. I then booted into windows from the entry in grub from my secondary install. And when I next booted the system, the nvram entry for my secondary install (for "opensuse_alt-secure") was gone. But the entry for "opensuse-secure" (my primary install) was there, and I could set that back to be the default. That the efi firmware only allows one entry per EFI partition is not itself a big problem. The really big problem is that Windows then insists on putting its own entry back there. It does not need to do that. I was able to boot Windows without that nvram entry. If not having the nvram entry prevented booting Windows, then I would have needed a repair boot from install media. My rant about Windows: 1: It should not routinely force its entry into the UEFI nvram. That comes across as looking like a monopolistic practice, though I suspect it is really more a matter that they didn't think this through. 2: If they really want everybody to use the Windows Boot Manager, then there needs to be a way to use the Windows Boot Manager to boot another system that is defined in the EFI partition. I could not find a way of doing this, and I could not find anything in their documentation. They do have a provision for OSLOADER entries, but those are defined for loading legacy systems such as with NTLDR. There is actually an entry in the Windows BCD for "opensuse-secure", given the type "firmware application". I tried adding that to the Windows boot menu, but it was ignored. Maybe I could have added as a tool (like their memory checker) and have it available after hitting F8 - I did not test that. I am wondering whether something like the old LOADLIN could be revived in a suitable way to be used as a legacy OSLOADER from the Windows Boot Manager. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c49
--- Comment #49 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c50
--- Comment #50 from Andrey Borzenkov
# zypper ar obs://arvidjaar:home:bnc:809308/standard bnc809308
Sorry, it is day of typos. Name does not matter but URL was all wrong. bor@opensuse:~> sudo zypper ar obs://home:arvidjaar:bnc:809038/standard bnc809038 Добавление репозитория 'bnc809038' .....................................[готово] Репозиторий 'bnc809038' успешно добавлен Включён: Да Автоматическое обновление: Нет Проверка GPG: Да URI: http://download.opensuse.org/repositories/home:/arvidjaar:/bnc:/809038/stand... bor@opensuse:~> sudo zypper refresh bnc809038 Получение метаданных репозитория 'bnc809038' ...........................[готово] Сбор кэша репозитория 'bnc809038' ......................................[готово] Указанные репозитории обновлены. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c51
--- Comment #51 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c52
--- Comment #52 from Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c53
--- Comment #53 from Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c54
--- Comment #54 from Andrey Borzenkov
Hi Andrey,
Please check srid #161087. Thanks.
Is ready. Neil, simply update from the same repo. You probably need to disable secure boot once to be able to boot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c55
Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c56
--- Comment #56 from Michael Chang
Michael (comment #52 ):
Yes, I had guessed that there was a problem installing the key. It would be nice if MokManager said something (even a one word "failure" or "success").
As long as the x509 certificate is well formed, MokManager will accept if it's not a duplicate one and spaces for firmware variables are enough. Yeah it should be verbose for the result. :)
Andrey (comment #54 and earlier).
It is now working.
Kudos to Andrey who always fix terrible bugs to us (not only grub2) :D -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c57
--- Comment #57 from Michael Chang
(In reply to comment #37)
(In reply to comment #30)
1. It seems no way to retrieve the public certificate used to validate the signed image in the user's home project though the osc command or any other means. :(
This is incorrect. Instead of packaging certificate to package, osc could retrieve the certificate (PEM format) for us. An example: $ osc cat -M <branched grub2 project> _project _sslcert > grub.crt $ openssl x509 -inform PEM -outform DER -in cert.crt -out grub.der Use above approach I could have grub.der same with the packaged one by examining it. $ openssl x509 -text -inform PEM -in grub.der -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c58
--- Comment #58 from Andrey Borzenkov
This is incorrect. Instead of packaging certificate to package, osc could retrieve the certificate (PEM format) for us. An example:
So we do not need to push your patches to package certificate? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c59
--- Comment #59 from Michael Chang
(In reply to comment #57)
This is incorrect. Instead of packaging certificate to package, osc could retrieve the certificate (PEM format) for us. An example:
So we do not need to push your patches to package certificate?
We still need that patch as the home project could be deleted or somehow not always available. We have to ensure users have the right certificate in his hand (ie not in a remote server). I am going to submit it today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c60
--- Comment #60 from Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c61
--- Comment #61 from Michael Chang
I presume that when this is eventually pushed out as an update or in 13.1, people won't have to monkey with enrolling keys.
Hi Andrey, Will you commit your fix to factory and 12.3 ?? Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c62
--- Comment #62 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c63
Andrey Borzenkov
Hi Andrey,
Will you commit your fix to factory and 12.3 ??
Factory: SR#161696 12.3: SR#161694 It does not include your patches to ship certificate; I think it does not belong to maintenance update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c64
--- Comment #64 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c65
--- Comment #65 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c66
--- Comment #66 from Andrey Borzenkov
Here's what bothers me about all of this:
Please open separate bug report, let's not hijack this one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c67
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c68
--- Comment #68 from Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c69
--- Comment #69 from Andrey Borzenkov
Andrey, unfortunately the build for ppc and ppc64 fails.
This is known problem unrelated to this patch. It is fixed in BAse:System (and I believe in Factory) with https://build.opensuse.org/request/show/161028. I can merge this request into 12.3 and resubmit. Is it OK? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c70
--- Comment #70 from Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c71
--- Comment #71 from Andrey Borzenkov
This would be nice. I'll add the new submission to the running update. Thanks.
SR#162255 Not sure how to make only delta-request, it includes both changes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c72
--- Comment #72 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c74
--- Comment #74 from Andrey Borzenkov
This would be nice. I'll add the new submission to the running update. Thanks.
I may have additionally fix for bnc#810912; may be it makes sense to merge them if it's not too late. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c75
--- Comment #75 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c76
--- Comment #76 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c77
--- Comment #77 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c78
Andrey Borzenkov
The patch for this showed up today. It is broken. Secure-boot no longer works.
This has been reported as bug 814098
Is it the correct bug number? bnc814098 is about encrypted filesystems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c79
--- Comment #79 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=809038
https://bugzilla.novell.com/show_bug.cgi?id=809038#c80
Michael Chang
participants (1)
-
bugzilla_noreply@novell.com