[Bug 999818] New: Enabling secure boot causes shim-install to fail
http://bugzilla.opensuse.org/show_bug.cgi?id=999818 Bug ID: 999818 Summary: Enabling secure boot causes shim-install to fail Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: gtettamanzi@gmail.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Build Identifier: I'm trying to dual boot W10 and TBW (snapshot 20160913). The two os are on two separate physical disks. If I tick "Enable secure boot", which I suppose is needed to boot a UEFI system, with bootloader set to "GRUB2 for EFI" and Protective MBR flag to "Do not change", the bootloader returns the following error: Error Execution of command "[["/usr/sbin/shim-install","--config-file=/boot/grub2/grub.cfg","--no-nvram","--removable""]]" failed. Exit code: 1 Error output: Unrecognized option '--no-nvram' shim version: 0.9-5.30 I've checked shim-install options out and no-nvram is not listed within them. Reproducible: Always Steps to Reproduce: As described above. Actual Results: Secure boot support is not enabled Expected Results: Secure boot support enabled -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c1
Josef Reidinger
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c2
Gabriele Tettamanzi
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c3
Josef Reidinger
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c4
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c5
Josef Reidinger
Hi Josef,
In efi, the --removable covers the case of --no-nvram. Here what it does to get installation on removable disks.
1. Copy efi loaders to default loader path on ESP 2. Prevent modifying EFI boot variables, then firmware will boot the default loader on this (removable) disk.
So it's fine to replace
cmd << "--no-nvram" << "--removable" if removable_efi?
With:
cmd << "--removable" if removable_efi?
For PowerPC, specifying --removable to grub2-install basically triggers error because it only available on EFI. You can still use --no-nvram to prevent from updating nvram, ie, for not changing the default boot device for OFW.
Thanks.
Ok, so it will be fixed by removing --no-nvram? Alex as you are author of this change, can you please verify it as I do not want to break your change for aarch64? Thanks -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
Jiri Srain
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c6
--- Comment #6 from Alexander Graf
Hi Josef,
In efi, the --removable covers the case of --no-nvram. Here what it does to get installation on removable disks.
1. Copy efi loaders to default loader path on ESP 2. Prevent modifying EFI boot variables, then firmware will boot the default loader on this (removable) disk.
So it's fine to replace
cmd << "--no-nvram" << "--removable" if removable_efi?
With:
cmd << "--removable" if removable_efi?
In EFI, --removable means "install the binary at the removable location" while --no-nvram means "Do not update the nvram with a new entry" (which would fail if no nvram is available). So nack for the change. The actual problem is deeper. For some reason we're running the efi code on a system that does not see efivars. That should not happen on normal systems. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c7
Michael Chang
(In reply to Michael Chang from comment #4)
In EFI, --removable means "install the binary at the removable location" while --no-nvram means "Do not update the nvram with a new entry" (which would fail if no nvram is available). So nack for the change.
Looking into grub2-install again, the --removable parameter really implies the same effect as --no-nvram. The common check in creating efivars like this: if (!removable && update_nvram) grub_install_register_efi ... And I also did the test with running grub2-install and --removable along really did not create any efivars. But to be on safe side, I agree with specifying --no-nvram as code or meaning could change in the future, but currently it really looks redundant to me when used together with--removable. OTOH We can also make a quick fix in shim-install to provide the --no-nvram parameter then it did not fail. The question here is that shim package is not updated in TW for a while and I think we are waiting new image gets signed by MS. (But who knows how long it will take). Gary, did you have comment for that ?
The actual problem is deeper. For some reason we're running the efi code on a system that does not see efivars. That should not happen on normal systems.
OK. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c8
Gary Ching-Pang Lin
(In reply to Alexander Graf from comment #6)
(In reply to Michael Chang from comment #4)
OTOH We can also make a quick fix in shim-install to provide the --no-nvram parameter then it did not fail. The question here is that shim package is not updated in TW for a while and I think we are waiting new image gets signed by MS. (But who knows how long it will take).
Gary, did you have comment for that ?
I informed Johannes to request a new signature last week. It could take a week to a month, depending on the code review. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c9
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=999818
http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c13
Gary Ching-Pang Lin
participants (1)
-
bugzilla_noreply@novell.com