[Bug 999818] New: Enabling secure boot causes shim-install to fail - openSUSE Bugs - openSUSE Mailing Lists

newer
[Bug 1009961] docker runc...

[Bug 999818] New: Enabling secure boot causes shim-install to fail

older
[Bug 985568] New: shim-install...

bugzilla_noreply＠novell.com

20 Sep 2016 20 Sep '16

06:41

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 Bug ID: 999818 Summary: Enabling secure boot causes shim-install to fail Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: gtettamanzi@gmail.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Build Identifier: I'm trying to dual boot W10 and TBW (snapshot 20160913). The two os are on two separate physical disks. If I tick "Enable secure boot", which I suppose is needed to boot a UEFI system, with bootloader set to "GRUB2 for EFI" and Protective MBR flag to "Do not change", the bootloader returns the following error: Error Execution of command "[["/usr/sbin/shim-install","--config-file=/boot/grub2/grub.cfg","--no-nvram","--removable""]]" failed. Exit code: 1 Error output: Unrecognized option '--no-nvram' shim version: 0.9-5.30 I've checked shim-install options out and no-nvram is not listed within them. Reproducible: Always Steps to Reproduce: As described above. Actual Results: Secure boot support is not enabled Expected Results: Secure boot support enabled -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 3.1 KB)

Reply

Sign in to reply online Use email software

Show replies by date

bugzilla_noreply＠novell.com

20 Sep 20 Sep

08:04

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c1 Josef Reidinger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gtettamanzi@gmail.com, | |jreidinger@suse.com Flags| |needinfo?(gtettamanzi@gmail | |.com) --- Comment #1 from Josef Reidinger --- Yes, this options are wrong. Can you please attach yast logs? So I can see why this powerpc only options are used in this case. https://en.opensuse.org/openSUSE:Report_a_YaST_bug#I_reported_a_YaST2_bug.2C... thanks -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

08:37

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c2 Gabriele Tettamanzi changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(gtettamanzi@gmail | |.com) | --- Comment #2 from Gabriele Tettamanzi --- Created attachment 693073 --> http://bugzilla.opensuse.org/attachment.cgi?id=693073&action=edit YaST2 log Needinfo by Josef Reidinger -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

08:50

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c3 Josef Reidinger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mchang@suse.com Flags| |needinfo?(mchang@suse.com) --- Comment #3 from Josef Reidinger --- ah, my fault, it is not only for powerpc. Michael - can you please check why it failed? Code to detect when this removable and no-nvram to use is at https://github.com/yast/yast-bootloader/blob/master/src/lib/bootloader/grub_... maybe we need to limit it even more? or detection is wrong and there is better way to recognize it. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

10:33

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c4 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mchang@suse.com) | --- Comment #4 from Michael Chang --- Hi Josef, In efi, the --removable covers the case of --no-nvram. Here what it does to get installation on removable disks. 1. Copy efi loaders to default loader path on ESP 2. Prevent modifying EFI boot variables, then firmware will boot the default loader on this (removable) disk. So it's fine to replace cmd << "--no-nvram" << "--removable" if removable_efi? With: cmd << "--removable" if removable_efi? For PowerPC, specifying --removable to grub2-install basically triggers error because it only available on EFI. You can still use --no-nvram to prevent from updating nvram, ie, for not changing the default boot device for OFW. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

10:51

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c5 Josef Reidinger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |agraf@suse.com Flags| |needinfo?(agraf@suse.com) --- Comment #5 from Josef Reidinger --- (In reply to Michael Chang from comment #4)

Hi Josef,

In efi, the --removable covers the case of --no-nvram. Here what it does to get installation on removable disks.

1. Copy efi loaders to default loader path on ESP 2. Prevent modifying EFI boot variables, then firmware will boot the default loader on this (removable) disk.

So it's fine to replace

cmd << "--no-nvram" << "--removable" if removable_efi?

With:

cmd << "--removable" if removable_efi?

For PowerPC, specifying --removable to grub2-install basically triggers error because it only available on EFI. You can still use --no-nvram to prevent from updating nvram, ie, for not changing the default boot device for OFW.

Thanks.

Ok, so it will be fixed by removing --no-nvram? Alex as you are author of this change, can you please verify it as I do not want to break your change for aarch64? Thanks -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

10:58

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 Jiri Srain changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glin@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

12:30

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c6 --- Comment #6 from Alexander Graf --- (In reply to Michael Chang from comment #4)

Hi Josef,

In efi, the --removable covers the case of --no-nvram. Here what it does to get installation on removable disks.

1. Copy efi loaders to default loader path on ESP 2. Prevent modifying EFI boot variables, then firmware will boot the default loader on this (removable) disk.

So it's fine to replace

cmd << "--no-nvram" << "--removable" if removable_efi?

With:

cmd << "--removable" if removable_efi?

In EFI, --removable means "install the binary at the removable location" while --no-nvram means "Do not update the nvram with a new entry" (which would fail if no nvram is available). So nack for the change. The actual problem is deeper. For some reason we're running the efi code on a system that does not see efivars. That should not happen on normal systems. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

21 Sep 21 Sep

04:03

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c7 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(glin@suse.com) --- Comment #7 from Michael Chang --- (In reply to Alexander Graf from comment #6)

(In reply to Michael Chang from comment #4)

In EFI, --removable means "install the binary at the removable location" while --no-nvram means "Do not update the nvram with a new entry" (which would fail if no nvram is available). So nack for the change.

Looking into grub2-install again, the --removable parameter really implies the same effect as --no-nvram. The common check in creating efivars like this: if (!removable && update_nvram) grub_install_register_efi ... And I also did the test with running grub2-install and --removable along really did not create any efivars. But to be on safe side, I agree with specifying --no-nvram as code or meaning could change in the future, but currently it really looks redundant to me when used together with--removable. OTOH We can also make a quick fix in shim-install to provide the --no-nvram parameter then it did not fail. The question here is that shim package is not updated in TW for a while and I think we are waiting new image gets signed by MS. (But who knows how long it will take). Gary, did you have comment for that ?

The actual problem is deeper. For some reason we're running the efi code on a system that does not see efivars. That should not happen on normal systems.

OK. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

04:42

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c8 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(glin@suse.com) | --- Comment #8 from Gary Ching-Pang Lin --- (In reply to Michael Chang from comment #7)

(In reply to Alexander Graf from comment #6)

...
(In reply to Michael Chang from comment #4)

OTOH We can also make a quick fix in shim-install to provide the --no-nvram parameter then it did not fail. The question here is that shim package is not updated in TW for a while and I think we are waiting new image gets signed by MS. (But who knows how long it will take).

Gary, did you have comment for that ?

I informed Johannes to request a new signature last week. It could take a week to a month, depending on the code review. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

22 Sep 22 Sep

10:49

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c9 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(glin@suse.com) --- Comment #9 from Michael Chang --- Hi Gary, Pls check srid#429445 to devel:openSUSE:Factory/shim for this problem. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

12 Dec 12 Dec

07:04

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsrain@suse.com |glin@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

bugzilla_noreply＠novell.com

28 Dec 28 Dec

06:56

New subject: [Bug 999818] Enabling secure boot causes shim-install to fail

http://bugzilla.opensuse.org/show_bug.cgi?id=999818 http://bugzilla.opensuse.org/show_bug.cgi?id=999818#c13 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #13 from Gary Ching-Pang Lin --- The fix was submitted to Tumbleweed. Close this bug. -- You are receiving this mail because: You are on the CC list for the bug.

Reply

Sign in to reply online Use email software

2677

Age (days ago)

2776

Last active (days ago)

Download

12 comments

1 participants

tags

participants (1)

bugzilla_noreply＠novell.com