[Bug 869786] New: Secure boot does not work
https://bugzilla.novell.com/show_bug.cgi?id=869786 https://bugzilla.novell.com/show_bug.cgi?id=869786#c0 Summary: Secure boot does not work Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader AssignedTo: jsrain@suse.com ReportedBy: nrickert@ameritech.net QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 I recently purchased a Lenovo ThinkServer TS140, and installed 13.1 It is mostly working fine. However, I decided that I should test secure-boot. So I made sure that grub2-efi was configured for secure-boot. I then switched to secure-boot in the BIOS. And now I get a message "invalid signature detected". After turning off secure-boot it is back to working. This is not particularly important, as I do not need secure boot. Here's my best guess as to what is happening: Windows has never been installed on this box. I suspect that the opensuse support for secure-boot depends on verifying shim with the Windows key. But, because Windows has never been installed, the Windows key is probably not present. Most likely, the key store of the UEFI BIOS is empty. I'm currently not seeing a BIOS setting for this. In the best of all worlds, opensuse should be able to handle this situation. In any case, I'm reporting as a bug so that someone will look at it. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c3
--- Comment #3 from Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c4
--- Comment #4 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c5
--- Comment #5 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c6
--- Comment #6 from Gary Ching-Pang Lin
Output from "efibootmgr -v": # efibootmgr -v BootCurrent: 0000 Timeout: 1 seconds BootOrder: 0000,000E,0002,0013,0014,0012,0007,0008,0011 Boot0000* opensuse HD(2,800,fa000,bf8f0c7b-6395-4d74-9c29-8731cbca231d)File(\EFI\opensuse\grubx64.efi) Boot0002* betasuse HD(2,800,fa000,bf8f0c7b-6395-4d74-9c29-8731cbca231d)File(\EFI\betasuse\grubx64.efi) Boot0007* Generic Usb Device Vendor(99e275e7-75a0-4b37-a2e6-c5385e6c00cb,) Boot0008* CD/DVD Device Vendor(99e275e7-75a0-4b37-a2e6-c5385e6c00cb,) Boot000E* UEFI OS HD(2,800,fa000,bf8f0c7b-6395-4d74-9c29-8731cbca231d)File(\EFI\BOOT\BOOTX64.EFI) Boot0011* Generic Usb Device Vendor(99e275e7-75a0-4b37-a2e6-c5385e6c00cb,) Boot0012* CD/DVD Device Vendor(99e275e7-75a0-4b37-a2e6-c5385e6c00cb,) Boot0013 UEFI: IP4 Intel(R) Ethernet Connection I217-LM ACPI(a0341d0,0)PCI(19,0)MAC(fc4dd4f53ab0,0)IPv4(0.0.0.0:0<->0.0.0.0:0,0, 0..BO Boot0014 UEFI: IP6 Intel(R) Ethernet Connection I217-LM ACPI(a0341d0,0)PCI(19,0)MAC(fc4dd4f53ab0,0)030d3c000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000..BO
Hmmm, there is no opensuse-secureboot entry. To support secure boot, you will need an entry for "\EFI\opensuse\shim.efi". Is there any new entry created after you checked "Enable Secure Boot support" in YaST2 boot loader?
The file "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00-e67656f" does not exist. Did you mean /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Sorry, typo.
In any case, I'll attach that.
I checked the keys in db, and UEFI CA is already included in the list. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c7
--- Comment #7 from Neil Rickert
Hmmm, there is no opensuse-secureboot entry.
I removed that, because it wasn't working. I reinstalled grub2-efi, without the "secure-boot" box checked, and that removed the entry. I figured that I could still test by turning on secure-boot and attempting to boot the 13.1 install media. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c8
--- Comment #8 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c9
--- Comment #9 from Gary Ching-Pang Lin
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c10
--- Comment #10 from Neil Rickert
$ pesign -n certdb -r -u 1 -i /usr/lib64/efi/shim.efi -o shim-1-sig.efi
I'm getting: pesign: No input file specified. I also checked the vendor site. It looks as if I do already have the latest firmware. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c11
--- Comment #11 from Gary Ching-Pang Lin
I reinstalled the secure-boot support, so "opensuse-secureboot" does now show as first in boot order.
$ pesign -n certdb -r -u 1 -i /usr/lib64/efi/shim.efi -o shim-1-sig.efi
I'm getting:
pesign: No input file specified.
Gee, a bug in pesign 0.106 :-\ Changing the order of the options to work around it: $ pesign -n certdb -r -i /usr/lib64/efi/shim.efi -o shim-1-sig.efi -u 1
I also checked the vendor site. It looks as if I do already have the latest firmware.
It won't surprise me if the vendor doesn't care about multi-signature since the windows signtool doesn't support the feature... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c12
--- Comment #12 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=869786
https://bugzilla.novell.com/show_bug.cgi?id=869786#c13
Gary Ching-Pang Lin
participants (1)
-
bugzilla_noreply@novell.com