[Bug 1185441] New: "system is compromised" during boot after grub2+shim update
https://bugzilla.suse.com/show_bug.cgi?id=1185441 Bug ID: 1185441 Summary: "system is compromised" during boot after grub2+shim update Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: robert.simai@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I installed the most recent kernel-default-5.3.18-lp152.72.1.x86_64 shim-15.4-lp152.4.8.1.x86_64 grub2-2.04-lp152.7.25.1.x86_64 on my Dell Precision 3620 this week and rebooted as required. The system doesn't come up but shows "system is compromised" for a second, followed by power down. If I change from "UEFI with secure boot" to "UEFI without secure boot" it behaves well again and just boots. I've set "mokutil --set-verbosity true" as advised which outputs a lot of messages, I unfortunately have no serial console at hand to connect and save them. I'll try to attach a video from the screen that shows the boot process and messages. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Robert Simai
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c1
Gary Ching-Pang Lin
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c2
--- Comment #2 from Robert Simai
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Bernhard Wiedemann
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Witek Bedyk
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c3
--- Comment #3 from Witek Bedyk
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c4
Michael Chang
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c5
--- Comment #5 from Michael Chang
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Pavel Dost�l
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c6
--- Comment #6 from Michael Chang
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c7
--- Comment #7 from Bernhard Wiedemann
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c9
Gary Ching-Pang Lin
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Joey Lee
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c10
--- Comment #10 from Gary Ching-Pang Lin
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c13
--- Comment #13 from Gary Ching-Pang Lin
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c15
--- Comment #15 from Tiago Marques
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c16
--- Comment #16 from Gary Ching-Pang Lin
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c17
--- Comment #17 from Tiago Marques
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message". Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages: --- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found --- I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c18
--- Comment #18 from Gary Ching-Pang Lin
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try 1) downgrade shim with the following rpm http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152... 2) mokutil --enable-validation 3) reboot the system to clear MokSBState 4) upgrade shim to 15.4 again and reboot the system to see if the issue persists
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
--- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found ---
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c20
--- Comment #20 from Gary Ching-Pang Lin
Hi, since upgrading to shim 15.4 I had the same issue with Secureboot enabled in BIOS on Tumbleweed, so with message "system is compromised". To be able to boot I disabled Secureboot in BIOS. Today I upgraded TW to snapshot 20210520, with shim-15.4-3.1.x86_64, still the same issue when enabling Secureboot in BIOS, so disabled it again.
So I followed some of the steps in this report, didn't downgrade shim package.
1. mokutil --enable-validation (not disable) 2. reboot 3. Press Down and Enter in shim menu to *Change secure boot state* 4. Enter three password characters. 5. Press y and Enter 6. Press any key to reboot system (reboot) 7. system boots, Secureboot still disabled in BIOS. 8. Boot to Bios and enabled Secureboot again 9. System boots, without error
mokutil --sb-state gives SecureBoot enabled, so I guess it's fixed.
Thanks for verifying MokSBState and provide the workaround! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c21
--- Comment #21 from Tiago Marques
(In reply to Tiago Marques from comment #17)
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try
1) downgrade shim with the following rpm http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152. 4.6.1.x86_64.rpm
2) mokutil --enable-validation
3) reboot the system to clear MokSBState
4) upgrade shim to 15.4 again and reboot the system to see if the issue persists
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
--- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found ---
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
Tried this to no avail. Also tried changing the SB state through the Shim management options but it fails with error "Failed to changed SB state". Running shim through UEFI programs still works and "shim-install" then fixes the boot issue. $ mokutil --list-enrolled MokListRT is empty Could this be related? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c22
--- Comment #22 from Gary Ching-Pang Lin
(In reply to Gary Ching-Pang Lin from comment #18)
(In reply to Tiago Marques from comment #17)
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12) > Hi, > > I've been hit by this for some months now. Every Grub2 update, I get the > same message as OP. > Not sure which grub package is to blame and I'm using EFI and secure boot. > > I've managed to (twice) solve the issue by booting a live USB, chrooting and > then running 'shim-install'. > > Not sure where the bug is or if this helps. I'm available to test other > things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try
1) downgrade shim with the following rpm http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152. 4.6.1.x86_64.rpm
2) mokutil --enable-validation
3) reboot the system to clear MokSBState
4) upgrade shim to 15.4 again and reboot the system to see if the issue persists
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
--- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found ---
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
Tried this to no avail.
Also tried changing the SB state through the Shim management options but it fails with error "Failed to changed SB state".
Running shim through UEFI programs still works and "shim-install" then fixes the boot issue.
$ mokutil --list-enrolled MokListRT is empty
Could this be related?
The empty MokListRT sounds similar to bsc#1185528. It seems that shim failed to mirror the keys for some reason. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c25
--- Comment #25 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c28
--- Comment #28 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c29
--- Comment #29 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c30
--- Comment #30 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c31
--- Comment #31 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c32
--- Comment #32 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c35
--- Comment #35 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c36
--- Comment #36 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c37
--- Comment #37 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1185441
https://bugzilla.suse.com/show_bug.cgi?id=1185441#c38
--- Comment #38 from Maintenance Automation
participants (1)
-
bugzilla_noreply@suse.com