[Bug 1191989] New: [Tumbleweed][20210123][aarch64][Secureboot] Installation failed with secureboot=enabled
https://bugzilla.suse.com/show_bug.cgi?id=1191989 Bug ID: 1191989 Summary: [Tumbleweed][20210123][aarch64][Secureboot] Installation failed with secureboot=enabled Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: richard.fan@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Hi TW developer, Can you please take a look at this issue? I tried to install a Tmbleweed VM on aarch64 platform with secureboot=enabled. However, It seems boot failure there: https://openqa.opensuse.org/tests/1989457#step/bootloader_uefi/6 =============================================== The aavmf binaries used: /usr/share/qemu/aavmf-aarch64-ms-code.bin /usr/share/qemu/aavmf-aarch64-ms-vars.bin =============================================== SLE passed: http://openqa.suse.de/tests/7506614 Do we have some plan to support Seucreboot on aarch64 platform for TW? BR//Richard. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 Richard Fan <richard.fan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bchou@suse.com, | |llzhao@suse.com, | |weixuan.hao@suse.com, | |xiaojing.liu@suse.com, | |ysun@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |snwint@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c1 Steffen Winterfeldt <snwint@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |snwint@suse.com Assignee|snwint@suse.com |guillaume.gardet@arm.com --- Comment #1 from Steffen Winterfeldt <snwint@suse.com> --- Guillaume, do you know? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c2 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |afaerber@suse.com, | |dmueller@suse.com Resolution|--- |FIXED --- Comment #2 from Guillaume GARDET <guillaume.gardet@arm.com> --- Secureboot on aarch64 works, but nothing is signed by Microsoft. So, you need to use openSUSE keys for Tumbleweed. This is tested in openQA, see: https://openqa.opensuse.org/tests/1989487 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c3 --- Comment #3 from Richard Fan <richard.fan@suse.com> --- (In reply to Guillaume GARDET from comment #2)
Secureboot on aarch64 works, but nothing is signed by Microsoft. So, you need to use openSUSE keys for Tumbleweed. This is tested in openQA, see: https://openqa.opensuse.org/tests/1989487
Thanks Guillaume for the quick update! glad to know the link. Before closing this bug, I want to ask for your kindly confirmation that do we have some plan to using the sign key by MS? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 Richard Fan <richard.fan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com Flags| |needinfo?(guillaume.gardet@ | |arm.com) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c4 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(guillaume.gardet@ |needinfo?(afaerber@suse.com |arm.com) |) --- Comment #4 from Guillaume GARDET <guillaume.gardet@arm.com> --- Andreas (in CC) may have more up-to-date information about the possibility to get a shim for aarch64 signed with MS key. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c5 Andreas F�rber <afaerber@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dleuenberger@suse.com, | |jlee@suse.com, | |jsegitz@suse.com Flags|needinfo?(afaerber@suse.com |needinfo?(jsegitz@suse.com) |) | --- Comment #5 from Andreas F�rber <afaerber@suse.com> --- Is this something we don't do for Tumbleweed in general or just not for aarch64? I think "FIXED" is not the right resolution here - either "INVALID" or "WONTFIX". -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c6 --- Comment #6 from Guillaume GARDET <guillaume.gardet@arm.com> --- openSUSE key is required for Tumbleweed on aarch64. Tumbleweed on x86_64 uses MS key for the shim. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c7 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jsegitz@suse.com) | --- Comment #7 from Johannes Segitz <jsegitz@suse.com> --- We can get a signed shim for aarch64. I would suggest we do it with the next regular submission -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c8 --- Comment #8 from Joey Lee <jlee@suse.com> --- The _real_ shim of TW is from latest Leap. The shim-leap be used to repackage MS-signed shim from Leap. Currently the shim-leap only repackages x86_64 shim. If we want to support MS-signed shim on aarch64, then the spec file of shim-leap must be modified for also repackage MS-signed shim from Leap aarch64. So, the shim of openSUSE Leap aarch64 must be sent to MS sign first. Then we repackage it by shim-leap for TW aarch64. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191989 https://bugzilla.suse.com/show_bug.cgi?id=1191989#c9 --- Comment #9 from Richard Fan <richard.fan@suse.com> --- (In reply to Joey Lee from comment #8)
The _real_ shim of TW is from latest Leap. The shim-leap be used to repackage MS-signed shim from Leap. Currently the shim-leap only repackages x86_64 shim. If we want to support MS-signed shim on aarch64, then the spec file of shim-leap must be modified for also repackage MS-signed shim from Leap aarch64.
So, the shim of openSUSE Leap aarch64 must be sent to MS sign first. Then we repackage it by shim-leap for TW aarch64.
Thanks Joey for the detail information, that is reason why I filed the bug. If we have plan to support MS sign key. I can use the corresponding aavmf binaries then. Anyway, I can move on my tests with opensuse key. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com