[Bug 954126] New: Unable to boot Windows partition when SecureBoot is enabled
http://bugzilla.opensuse.org/show_bug.cgi?id=954126 Bug ID: 954126 Summary: Unable to boot Windows partition when SecureBoot is enabled Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: ldav1s@yahoo.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- I have a Lenovo E545 laptop which I had two bootable partitions: Windows 8.1 and had openSUSE 13.2 (x86_64). I then upgraded to Leap 42.1, which seemed to go without error. I noticed on system restart that the Windows partition vanished from the boot menu, so I went into the YaST Boot Manager and rewrote the list, and the Windows partition reappeared. Now when I boot the Windows partition with SecureBoot enabled I get something like this thread https://forums.opensuse.org/showthread.php/510685-openSUSE-Leap-42-1-Windows... describes: /EndEntire file path: /ACPI(a0341d0,0)/PCI(0,11)/Sata(0,0,0)/HD(2,1f4800,82000,908ea519918d9d41,2,2)/File(\EFI\Microsoft\Boot) /File(bootmgfw.efi)/EndEntire error: Not supported image. Press any key to continue... And as that post says this used to work (boot Windows) with SecureBoot enabled with openSUSE 13.2. After installing Leap, I must disable SecureBoot to boot the Windows partition. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c1
Enrique Garcia
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c2
--- Comment #2 from Enrique Garcia
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
bill morgart
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c3
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c4
--- Comment #4 from Enrique Garcia
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c5
--- Comment #5 from Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c6
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c7
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c8
--- Comment #8 from Leo Davis
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Sebastian Schubert
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c9
Roger Luedecke
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c10
--- Comment #10 from Andrei Borzenkov
I tried the suggested steps in Comment 7. In SecureBoot mode I never get to GRUB, it just keeps booting. It boots OK with SecureBoot off.
Did you enroll GRUB signing key? It is private build, so it is not signed by openSUSE key. (In reply to Roger Luedecke from comment #9)
I'd like to help with testing, but firstly I need to make sure I can keep a working system as I have only the one computer.
Sorry, I do not understand the question. If you already have dual boot, then nothing changes for you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c11
--- Comment #11 from Enrique Garcia
Please test version with patch disabled (sorry, bug number is wrong, typo).
zypper ar obs://home:arvidjaar:bnc:964126/standard boo954126 zypper refresh boo954126 zypper dup -r boo954126
You will need to import /usr/lib64/efi/grub.der after that using either mokutil or boot time MokManager.
I made the update with zypper and installed the grub.der certificate into my system, but I am unable to boot using secure boot. During boot the following message is shown: "Verification failed: (15) Access Denied". I don't really know if a made a mistake during the process because it's the first time I manually install a certificate to boot my system. However, the certificate seems to be installed because it's listed with the command "mokutil --list-enrolled" (actually it shows twice, so I suppose I installed it twice also). I made a rollback so I am still able to use secure boot with the mix of 42.1 and 13.2 files. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c12
--- Comment #12 from Andrei Borzenkov
I made the update with zypper and installed the grub.der certificate into my system, but I am unable to boot using secure boot. During boot the following message is shown: "Verification failed: (15) Access Denied".
Did you enrolled certificate before or after installing my GRUB? Certificate comes with new package.
I don't really know if a made a mistake during the process because it's the first time I manually install a certificate to boot my system. However, the certificate seems to be installed because it's listed with the command "mokutil --list-enrolled" (actually it shows twice, so I suppose I installed it twice also).
Try using MokManager; copy certificate to ESP and start MokManager there. Just to be sure to eliminate mokutil problem. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c13
--- Comment #13 from Enrique Garcia
Did you enrolled certificate before or after installing my GRUB? Certificate comes with new package.
After. The .cer file is in the path you mentioned and the sha1sum of the file is "ee4faab497e33c14b61d00354e8a2ec5e469821c"; the same sha1 fingerprint is shown by "mokutil -l".
Try using MokManager; copy certificate to ESP and start MokManager there. Just to be sure to eliminate mokutil problem.
I installed using MokManager using grub2 boot menu. I repeated the process removing the certificate and installing it again. Same result as before: "Verification failed: (15) Access Denied". In addition, I didn't mention it before I get more messages as I hit enter "Could not install security protocol: (2) Invalid Parameter". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c14
--- Comment #14 from Leo Davis
(In reply to Leo Davis from comment #8)
I tried the suggested steps in Comment 7. In SecureBoot mode I never get to GRUB, it just keeps booting. It boots OK with SecureBoot off.
Did you enroll GRUB signing key? It is private build, so it is not signed by openSUSE key.
I did these steps: zypper ar obs://home:arvidjaar:bnc:964126/standard boo954126 zypper refresh boo954126 zypper dup -r boo954126 Then: mokutil --import /usr/lib64/efi/grub.der entered a password twice. I rebooted. On reboot, I viewed the new key in MokManager signed by arvidjaar which looked like it matched the info in the newly installed /usr/lib64/efi/grub.der. It asked me for the password, which I supplied. I rebooted, enabled SecureBoot and got into a boot loop where I can't even get to GRUB. After disabling SecureBoot, I was able to boot to GRUB and boot the system. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c15
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c16
--- Comment #16 from Enrique Garcia
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c17
Gary Ching-Pang Lin
It actually looks like shim is simply ignoring any enrolled key. Leap shim is not able to load anything except grub.efi shipped with openSUSE, even though my key is claimed to be enrolled.
Same problem with Ubunut 14.04 shim BTW. Ubuntu has shim 0.8 and Leap shim 0.9. But with both of them I am not able to load anything signed by non-default key. I am able to load another shim which is signed by Microsoft though ...
This makes it rather hard to test anything. Gary, are there any known issues here? I try to test custom grub2 and shim cannot verify image although I enrolled my custom key (packaged with grub2) using MokManager.
In case you're using the key from open build service. There is a known issue that the updated openssl(1.0.2d) in shim checks the key attributes more strictly. The open build service used to generate the self-signed key without the "key signing" attribute. It's accepted by openssl-0.9.8* but openssl-1.0.* treats it as an invalid key. The open build service already fixed the key attribute but the user has to do "osc signkey --extend" to update the key attribute and enroll the updated key. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c18
--- Comment #18 from Michael Chang
OK, I found bootmgfw.efi, and it confirms it. The problem is in grub2-efi-chainload-harder.patch that adds check for valid PE32+ header; but this check is wrong.
if (grub_memcmp (pe32->signature, "PE\0\0", 4) != 0
pe32 header is not located at fixed address. pe32 is of type grub_pe32_header and expects header at offset 0x80; but botomgfw.efi has header at offset 0xe0. See PE COFF specification. Code should fetch header address at fixed offset 0x3b.
You're right, we should check msdos header from offset 0x3c for looking up file offset of pe header. I was misguided by this comment in include/grub/efi/pe32.h so that I went straight to ignore the msdos header. And it happened to work well with my testing with xen.efi. :( /* The MSDOS compatibility stub. This was copied from the output of objcopy, and it is not necessary to care about what this means. */ I'm going to build a test package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Jiri Srain
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c19
Christopher Cimiluca
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c20
--- Comment #20 from Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Raul Malea
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c21
--- Comment #21 from Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c22
--- Comment #22 from Andrei Borzenkov
PS. I also tested with shim 0.9, but did not have the verification problem issue in comment#15.
The problem was in certificate that had been used, not in shim itself. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c23
--- Comment #23 from Michael Chang
(In reply to Andrei Borzenkov from comment #15)
In case you're using the key from open build service. There is a known issue that the updated openssl(1.0.2d) in shim checks the key attributes more strictly. The open build service used to generate the self-signed key without the "key signing" attribute. It's accepted by openssl-0.9.8* but openssl-1.0.* treats it as an invalid key. The open build service already fixed the key attribute but the user has to do "osc signkey --extend" to update the key attribute and enroll the updated key.
How to check that? Is it "Code Signing" from x509 output ? $ openssl x509 -text -noout -inform der -in /usr/lib64/efi/grub.de ... X509v3 Extended Key Usage: Code Signing ... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c24
--- Comment #24 from Michael Chang
(In reply to Michael Chang from comment #21)
The problem was in certificate that had been used, not in shim itself.
It's "shim 0.9(aka new openssl) + certificate problem", from your conversation with Gary it seems to me new shim is too picky on certificates in use, but mine just works that I do not know why. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c25
--- Comment #25 from Andrei Borzenkov
How to check that? Is it "Code Signing" from x509 output ?
As I understand it should be "Certificate Sign" X509v3 Key Usage: critical Certificate Sign, CRL Sign At least this was the only difference between old and new OBS certificates. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c26
--- Comment #26 from Enrique Garcia
Hi All,
The testing repo is published
http://download.opensuse.org/repositories/home:/michael-chang:/bsc954126/ standard/
Here is step to test:
1. zypper ar --repo http://download.opensuse.org/repositories/home:/michael-chang:/bsc954126/ standard/home:michael-chang:bsc954126.repo
2. zypper dup -r home_michael-chang_bsc954126
3. mokutil --import /usr/lib64/efi/grub.der
4. Input password to be used in MokManager for enrolling keys later
5. mokutil --list-new # To check your enrolled key in step 3 is successful
6. Reboot
7. You should see MokManager UI (ncurses like) and from that selecting "Enroll MOK", type the password in step4 and system will reboot again.
8. Enable "Secure Boot"
9. Test
10. If it doe not work, boot to the system and run "mokutil --list-enrolled" to check that keys are enrolled correctly by step7.
PS. I also tested with shim 0.9, but did not have the verification problem issue in comment#15. I still like to know the result as my testing was done by a bootmgfw.efi downloaded from internet, not by a real shipped one. And some post processing like strip it's existing certificate which seems not work, and resign the image with self-signed certificate.
Thanks.
I followed your instructions to test the patch. It worked like a charm. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c27
--- Comment #27 from Leo Davis
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c28
--- Comment #28 from Andrei Borzenkov
In the BIOS there's an additional BIOS setting that has to be set called "Reset to Setup Mode" before things will work. Otherwise, it will boot in a loop.
Are you sure you tested it with Secure Boot still enabled? "Setup Mode" effectively disables Secure Boot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c29
--- Comment #29 from Leo Davis
(In reply to Leo Davis from comment #27)
In the BIOS there's an additional BIOS setting that has to be set called "Reset to Setup Mode" before things will work. Otherwise, it will boot in a loop.
Are you sure you tested it with Secure Boot still enabled? "Setup Mode" effectively disables Secure Boot.
I am sure it was still enabled when I booted. But to double check, I disabled SecureBoot in the BIOS, booted to GRUB, restarted, enabled SecureBoot again, booted to GRUB, selected the Windows partition, and booted Windows OK. It would require more investigation to see if SecureBoot is really on or not, but the BIOS said it was both times I booted. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c30
--- Comment #30 from Andrei Borzenkov
It would require more investigation to see if SecureBoot is really on or not
In Linux you could use "mokutil --sb-state". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c31
--- Comment #31 from Leo Davis
(In reply to Leo Davis from comment #29)
It would require more investigation to see if SecureBoot is really on or not
In Linux you could use "mokutil --sb-state".
You were right, SecureBoot was not enabled. When I re-enabled it I was not able to boot GRUB (booted in a loop). I did a "mokutil --reset" and rebooted, did the reset in MokManager, rebooted, reran the sequence of steps from step 5 in comment 21. I was not able to boot to GRUB after that either (booted in a loop). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c32
Andrei Borzenkov
You were right, SecureBoot was not enabled. When I re-enabled it I was not able to boot GRUB (booted in a loop). I did a "mokutil --reset" and rebooted, did the reset in MokManager, rebooted, reran the sequence of steps from step 5 in comment 21. I was not able to boot to GRUB after that either (booted in a loop).
Could you explain in more details what happens when you boot? Do you see any error message? Does GRUB menu appear? Also could you boot with secure boot disabled and provide output of "efibootmgr -v"? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c33
Leo Davis
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c34
--- Comment #34 from Leo Davis
Could you explain in more details what happens when you boot?
When SecureBoot is enabled: The fans in the laptop spin up, and the Lenovo BIOS boot screen is displayed. Then the screen goes black and the fans spin down. Then this process repeats. When SecureBoot is disabled: The fans in the laptop spin up, and the Lenovo BIOS boot screen is displayed. The GRUB bootscreen is displayed and the fans spin down. I can boot both Windows and openSUSE from GRUB.
Do you see any error message?
No.
Does GRUB menu appear?
No.
Also could you boot with secure boot disabled and provide output of "efibootmgr -v"?
I've added this output as an attachment. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c35
Andrei Borzenkov
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c36
Leo Davis
So I try to summarize. You had Leap installed and were able to boot openSUSE with Secure Boot enabled. Is it correct?
A short recap: I had opensuse 13.2 installed and was able to boot to GRUB, then Windows (or openSUSE) with SecureBoot enabled. I upgraded to Leap 42.1 and was able to boot to GRUB, then to openSUSE, but not Windows with SecureBoot enabled. I then updated to the first test version and I was not able to boot to GRUB with SecureBoot enabled. No errors were visible, IIRC. The system kept rebooting. I then updated to the second test version and I was not able to boot to GRUB with SecureBoot enabled. No errors are displayed. The system kept rebooting.
After update of grub2 to test version you can no more boot with Secure Boot enabled - system keeps rebooting silently without any errors. Is it correct?
With SecureBoot enabled, that is correct. I cannot boot even to GRUB. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Olivier Nicolas
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
Matthias Gensler
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c37
--- Comment #37 from Roger Luedecke
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c38
Michael Chang
(In reply to Andrei Borzenkov from comment #35)
So I try to summarize. You had Leap installed and were able to boot openSUSE with Secure Boot enabled. Is it correct?
After update of grub2 to test version you can no more boot with Secure Boot enabled - system keeps rebooting silently without any errors. Is it correct?
With SecureBoot enabled, that is correct. I cannot boot even to GRUB.
I did not know why the changes would cause you the new troubles, as the changes were made in chainloader commad which won't be executed during start-up thus won't affect it at all. Is it possible that you performed reset in setup mode that the preloaded Windows keys were cleared, thus can't really verify anything if secure boot enabled? Please help to provide outputs for these commands? mokutil --pk mokutil --kek mokutil --db Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c39
--- Comment #39 from Michael Chang
I'm not able to get back into my LEAP install. Using the install media, it is not showing the good ol' "boot from hard drive" option.
As far as I know that option is not provided for UEFI but only legacy mode. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c40
Leo Davis
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c41
--- Comment #41 from Leo Davis
(In reply to Leo Davis from comment #36)
(In reply to Andrei Borzenkov from comment #35)
So I try to summarize. You had Leap installed and were able to boot openSUSE with Secure Boot enabled. Is it correct?
After update of grub2 to test version you can no more boot with Secure Boot enabled - system keeps rebooting silently without any errors. Is it correct?
With SecureBoot enabled, that is correct. I cannot boot even to GRUB.
I did not know why the changes would cause you the new troubles, as the changes were made in chainloader commad which won't be executed during start-up thus won't affect it at all.
Is it possible that you performed reset in setup mode that the preloaded Windows keys were cleared, thus can't really verify anything if secure boot enabled?
Please help to provide outputs for these commands?
mokutil --pk mokutil --kek mokutil --db
Thanks.
I was unable to boot to GRUB with both the first fix and the second fix before I performed the reset (with SecureBoot enabled). After the reset with the second fix I'm unable to boot to GRUB. I'm unsure of what qualifies as "new". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c43
--- Comment #43 from Leo Davis
(In reply to Leo Davis from comment #41)
I was unable to boot to GRUB with both the first fix and the second fix before I performed the reset (with SecureBoot enabled). After the reset with the second fix I'm unable to boot to GRUB. I'm unsure of what qualifies as "new".
You probably encountered boo#950569 which caused shim failed to load grub2. Although I had the fix already, I'm still waiting for the new shim signature. You could replace shim.efi with the openSUSE 13.2 shim.efi as a temporary workaround.
The symptoms of boo#950569 sound different, AIUI. That bug from the reports I saw seems to hang on boot (with SecureBoot enabled). After the I upgraded to Leap 42.1 could boot openSUSE (but not Windows). The subsequent attempts to fix don't hang my laptop on boot, they immediately reboot (before GRUB), and reboot, and reboot... I don't seem to get any artifacts like the blinking cursor they describe. But then my display gets redrawn pretty quickly because of the reboot. The shim.efi from openSUSE 13.2 would probably work. It did before. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c44
--- Comment #44 from Andrei Borzenkov
The shim.efi from openSUSE 13.2 would probably work. It did before.
It would really helpful if you tried it. We really need to separate two issues. Also does reverting to original Leap 42.1 grub2 work? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c45
--- Comment #45 from Leo Davis
(In reply to Leo Davis from comment #43)
The shim.efi from openSUSE 13.2 would probably work. It did before.
It would really helpful if you tried it. We really need to separate two issues.
I tried new tests tonight with the old 13.2 shim. shim-13.2 is shim.efi (shim-opensuse.efi) from shim-0.7.318.81ee561d-3.4.1.x86_64.rpm shim is shim.efi from 42.1 shim-0.9-2.1.x86_64.rpm So here's what we've determined from my laptop (SecureBoot is enabled on all these): shim-42.1 + original 42.1 grub2 boots to GRUB, opensuse, Windows fails This prompted the original bug report. shim-42.1 + new grub2 reboots What I've been talking about from comment 31 onwards. shim-13.2 + new grub2 boots to GRUB, opensuse, Windows shim-13.2 + original grub2 (2.02~beta2-68.2) had the 42.1 shim after reinstall of grub2, so I recopied the 13.2 shim.efi boots to GRUB, openSUSE, Windows fails
Also does reverting to original Leap 42.1 grub2 work?
No. The error screen and behavior look very similar if not identical to the original bug report. The good news is that the new fixes in grub2 seem to work. The bad news is that you can't seem to get to them with the (original) 42.1 shim installed. Sorry this didn't seem to simplify anything. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c46
Michael Chang
(In reply to Andrei Borzenkov from comment #44)
(In reply to Leo Davis from comment #43)
The good news is that the new fixes in grub2 seem to work. The bad news is that you can't seem to get to them with the (original) 42.1 shim installed. Sorry this didn't seem to simplify anything.
Let's track shim as separate issue in boo#950569 and waiting for new signature update from Microsoft. For $subject, I think it's fixed and will be available as Leap maintenance update. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c49
Marcus Furlong
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c52
Leo Davis
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c53
--- Comment #53 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c54
--- Comment #54 from Leo Davis
REsponding to c#52
As I understand it, this is fixed in a technical sense, but we are still awaiting an update to Leap 42.1 which will provide the fix there. I'm expecting it within the next few days.
If you know how to get them, then using "shim.efi" and "grub.efi" from Tumbleweed will provide a temporary fix (that's what I am doing). Just copy those two files to "/boot/efi/EFI/opensuse". I think we actually do already have the fixed "shim.efi" in 42.1 systems, so you probably only need the "grub.efi" from Tumbleweed.
I downloaded the current grub.efi from http://download.opensuse.org/tumbleweed/repo/oss/EFI/BOOT/grub.efi and copied it to /boot/efi/EFI/opensuse. With that I was finally able to boot Windows with SecureBoot enabled, so for me at least it is now fixed. Thanks to everyone who worked on this! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c55
--- Comment #55 from Roger Luedecke
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c56
--- Comment #56 from Neil Rickert
mv: failed to preserve ownership for ‘/boot/efi/EFI/opensuse/grub.efi’: Operation not permitted
It should be okay to ignore that message. It would have been better to use "cp" instead of "mv", and then you would not get the message. What happened there, is that the EFI partition uses the FAT file system, which does not support the unix idea of file owner. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c62
--- Comment #62 from Neil Rickert
Once the update is applied to Leap, do you expect it to work out of the box, or is there a procedure to enable boot on Windows?
I'm not quite sure what you are asking. Once the update is applied, you will be able to boot Windows from the grub2 boot menu entry. You don't have to do anything else. If you had disabled secure-boot in your firmware, you might want to turn that on again. The update won't do that -- you will have to get into firmware settings. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=954126
http://bugzilla.opensuse.org/show_bug.cgi?id=954126#c63
--- Comment #63 from Leo Davis
Resolved fixed again according to comment#54. Btw the Leap maintenance update for this problem has rolled out, please reopen if it did not work for you.
I applied the Leap maintenance update, checked to make sure that /boot/efi/EFI/opensuse/grub.efi matched the update (AFAICT it did), and rebooted. Both Leap and Windows boot with SecureBoot enabled. Thanks again! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com