[Bug 814756] New: Today's update to grub2-efi is broken. It needs to be pulled.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c0 Summary: Today's update to grub2-efi is broken. It needs to be pulled. Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader AssignedTo: jsrain@suse.com ReportedBy: nrickert@ameritech.net QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq/2.1 Safari/534.34 An update today to grub2-efi 2.00-19.13.1 results in secure-boot failing. So secure-boot has to be disabled in order to boot into the system. See forum discussion at https://forums.opensuse.org/english/get-technical-help-here/install-boot-log... In my case, I have two installs of opensuse. I applied the update to only one of those (the one that was not used for testing bug 809038). With secure boot enable, a boot entry for this install did not show up. I could only boot the other install, or boot this install indirectly using the grub menu for the other install). With secure boot disabled, both installs are accessible from the UEFI menu, and it defaults to booting to the one where I applied the update. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent CC| |arvidjaar@gmail.com, | |mchang@suse.com, | |meissner@suse.com AssignedTo|jsrain@suse.com |mchang@suse.com Severity|Normal |Major --- Comment #1 from Marcus Meissner <meissner@suse.com> 2013-04-11 05:49:03 UTC --- I just did pull it. top of changes is ------------------------------------------------------------------- Wed Apr 3 10:56:50 UTC 2013 - mchang@suse.com - refresh grub2-secureboot-chainloader.patch: Fix wrongly aligned buffer address (bnc#811608) ------------------------------------------------------------------- Mon Mar 25 17:37:59 UTC 2013 - dvaleev@suse.com - extraconfigure macro is not defined on ppc ------------------------------------------------------------------- Sat Mar 23 18:31:07 UTC 2013 - arvidjaar@gmail.com - corretly set chainloaded image device handle in secure boot mode (bnc#809038) (modified grub2-secureboot-chainloader.patch) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> 2013-04-11 05:52:58 UTC --- The test binaries still live in openSUSE:Maintenance:1528 http://download.opensuse.org/repositories/openSUSE:/Maintenance:/1528/openSU... if someone wants to check. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c3 --- Comment #3 from Michael Chang <mchang@suse.com> 2013-04-11 05:58:13 UTC --- Could maintenance team check the sign key is correct? Looks like the efi loader is not signed by SUSE Secureboot CA ...? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c4 --- Comment #4 from Michael Chang <mchang@suse.com> 2013-04-11 06:11:45 UTC --- Confirmed that it's not signed by "openSUSE Secure Boot CA" but openSUSE:Maintenance OBS Project. :( output from pesign -S --------------------------------------------- Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE:Maintenance OBS Project The signer's email address is opensuse:maintenance@build.opensuse.org Signing time: Wed Apr 03, 2013 There were certs or crls included. --------------------------------------------- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c5 --- Comment #5 from Andrey Borzenkov <arvidjaar@gmail.com> 2013-04-11 06:19:45 UTC --- Is it possible to query/see certificate using osc/OBS API? osc --signkey apparently returns something different (RPM signature key?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c6 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mls@suse.com --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-04-11 07:07:43 UTC --- We checked this in after we fixed the signing keys in openSUSE:Maintenance:* I hoped. Apparently something is still amiss. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c7 --- Comment #7 from Michael Schröder <mls@suse.com> 2013-04-11 09:17:17 UTC --- No you didn't. The packages were built Apr 3rd, I fixed the cert Apr 4th. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c8 --- Comment #8 from Marcus Meissner <meissner@suse.com> 2013-04-11 10:14:48 UTC --- oh. can you check if the signing in openSUSE:Maintenance:1577 http://download.opensuse.org/repositories/openSUSE:/Maintenance:/1577/openSU... is ok? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c9 --- Comment #9 from Michael Chang <mchang@suse.com> 2013-04-12 06:39:26 UTC --- It's ok per the pesign output. And I did a quick test on it without problem (WORKS_FOR_ME). --------------------------------------------- Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Thu Apr 11, 2013 There were certs or crls included. --------------------------------------------- Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c10 --- Comment #10 from Michael Chang <mchang@suse.com> 2013-04-26 06:18:55 UTC --- Anyone here can help to confirm that the issue can be closed or not? Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814756 https://bugzilla.novell.com/show_bug.cgi?id=814756#c11 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #11 from Marcus Meissner <meissner@suse.com> 2013-04-26 06:58:15 UTC --- we got a grub2 update tested (not yet released) with secure boot, so i think its good now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com