https://bugzilla.suse.com/show_bug.cgi?id=1185441 Robert Simai changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |glin@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c2 --- Comment #2 from Robert Simai --- Created attachment 848874 --> https://bugzilla.suse.com/attachment.cgi?id=848874&action=edit screen video of boot process -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 Witek Bedyk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |witold.bedyk@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c4 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glin@suse.com Flags| |needinfo?(glin@suse.com) --- Comment #4 from Michael Chang --- I can reproduce the error. It appears that the secure boot validation has been disabled through MokManager, but shim still insist to enforce it and spew "system is compromised ..." when grub is told to skip shim_lock to honor the setting. The step to reproduce: (Secure Boot Standard Mode in firmware) 1. mokutil --disable-validation 2. reboot 3. Press Down and Enter in shim menu to *Change secure boot state* 4. Enter three password characters. 5. Press y and Enter to confirm *disabling* Secure Boot 6. Press any key to reboot system (reboot) 7. "Bootloader has not verified loaded image. System is compromised, halting" logged on screen when trying to boot linux kernel Also we can observe whether secure boot validation has been disabled via examining the MokSBStateRT variable. cd /sys/firmware/efi/efivars hexdump -C MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 00000000 06 00 00 00 01 |.....| 00000005 "1" means secure boot validation disabled, in other words putting shim in "insecure" mode intentionally to allow booting unsigned image even if secure boot is enabled in firmware. It then looks like shim issue to me ... Gary did you have any idea ? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 Pavel Dost�l changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pdostal@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c6 --- Comment #6 from Michael Chang --- Reverting to old shim helps to get rid of the error for me. I could see 'Booting in insecure mode' logged on the screen before grub starts, and grub boots kernel without error. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c9 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(glin@suse.com) | --- Comment #9 from Gary Ching-Pang Lin --- Hmmm, there is a known bug in shim 15.4 that MokSBState wasn't handled properly. https://github.com/rhboot/shim/pull/362 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c10 --- Comment #10 from Gary Ching-Pang Lin --- If the error is really caused by MokSBState, then it can be work around by reverting to old shim, executing "mokutil --enable-validation", rebooting the system, and then upgrading shim again. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c15 --- Comment #15 from Tiago Marques --- (In reply to Gary Ching-Pang Lin from comment #13)

(In reply to Tiago Marques from comment #12)

...

Hi,

I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.

I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.

Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.

Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?

Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c17 --- Comment #17 from Tiago Marques --- (In reply to Gary Ching-Pang Lin from comment #16)

(In reply to Tiago Marques from comment #15)

...

(In reply to Gary Ching-Pang Lin from comment #13)

...

(In reply to Tiago Marques from comment #12)

...

Hi,

I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.

I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.

Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.

Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?

Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?

That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.

After doing that, got an unbootable system with the the same "system is compromised message". Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages: --- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found --- I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c20 --- Comment #20 from Gary Ching-Pang Lin --- (In reply to Michiel Janssens from comment #19)

Hi, since upgrading to shim 15.4 I had the same issue with Secureboot enabled in BIOS on Tumbleweed, so with message "system is compromised". To be able to boot I disabled Secureboot in BIOS. Today I upgraded TW to snapshot 20210520, with shim-15.4-3.1.x86_64, still the same issue when enabling Secureboot in BIOS, so disabled it again.

So I followed some of the steps in this report, didn't downgrade shim package.

1. mokutil --enable-validation (not disable) 2. reboot 3. Press Down and Enter in shim menu to *Change secure boot state* 4. Enter three password characters. 5. Press y and Enter 6. Press any key to reboot system (reboot) 7. system boots, Secureboot still disabled in BIOS. 8. Boot to Bios and enabled Secureboot again 9. System boots, without error

mokutil --sb-state gives SecureBoot enabled, so I guess it's fixed.

Thanks for verifying MokSBState and provide the workaround! -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c22 --- Comment #22 from Gary Ching-Pang Lin --- (In reply to Tiago Marques from comment #21)

(In reply to Gary Ching-Pang Lin from comment #18)

...

(In reply to Tiago Marques from comment #17)

...

(In reply to Gary Ching-Pang Lin from comment #16)

...

(In reply to Tiago Marques from comment #15)

...

(In reply to Gary Ching-Pang Lin from comment #13)

...

(In reply to Tiago Marques from comment #12) > Hi, > > I've been hit by this for some months now. Every Grub2 update, I get the > same message as OP. > Not sure which grub package is to blame and I'm using EFI and secure boot. > > I've managed to (twice) solve the issue by booting a live USB, chrooting and > then running 'shim-install'. > > Not sure where the bug is or if this helps. I'm available to test other > things out to help fix this.

Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?

Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?

That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.

After doing that, got an unbootable system with the the same "system is compromised message".

What's the version of shim in the system? Could you try

1) downgrade shim with the following rpm http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152. 4.6.1.x86_64.rpm

2) mokutil --enable-validation

3) reboot the system to clear MokSBState

4) upgrade shim to 15.4 again and reboot the system to see if the issue persists

...

Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:

--- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found ---

It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.

...

I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.

Tried this to no avail.

Also tried changing the SB state through the Shim management options but it fails with error "Failed to changed SB state".

Running shim through UEFI programs still works and "shim-install" then fixes the boot issue.

$ mokutil --list-enrolled MokListRT is empty

Could this be related?

The empty MokListRT sounds similar to bsc#1185528. It seems that shim failed to mirror the keys for some reason. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c28 --- Comment #28 from Swamp Workflow Management --- SUSE-RU-2021:2464-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185464,1185961,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): shim-15.4-4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c30 --- Comment #30 from Swamp Workflow Management --- SUSE-RU-2021:2465-1: An update that has 7 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185621,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE MicroOS 5.0 (src): shim-15.4-3.29.1 SUSE Manager Server 4.0 (src): shim-15.4-3.29.1 SUSE Manager Retail Branch Server 4.0 (src): shim-15.4-3.29.1 SUSE Manager Proxy 4.0 (src): shim-15.4-3.29.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): shim-15.4-3.29.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): shim-15.4-3.29.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): shim-15.4-3.29.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): shim-15.4-3.29.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): shim-15.4-3.29.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): shim-15.4-3.29.1 SUSE Enterprise Storage 6 (src): shim-15.4-3.29.1 SUSE CaaS Platform 4.0 (src): shim-15.4-3.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c32 --- Comment #32 from Swamp Workflow Management --- SUSE-RU-2021:2594-1: An update that has 9 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185464,1185621,1185961,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): shim-15.4-25.21.1 SUSE OpenStack Cloud Crowbar 8 (src): shim-15.4-25.21.1 SUSE OpenStack Cloud 9 (src): shim-15.4-25.21.1 SUSE OpenStack Cloud 8 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP5 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): shim-15.4-25.21.1 HPE Helion Openstack 8 (src): shim-15.4-25.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c36 --- Comment #36 from Swamp Workflow Management --- SUSE-RU-2021:3224-1: An update that has 12 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696 CVE References: JIRA References: Sources used: SUSE MicroOS 5.0 (src): shim-15.4-3.32.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): shim-susesigned-15.4-3.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): shim-15.4-3.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c38 --- Comment #38 from Maintenance Automation --- SUSE-SU-2023:1702-1: An update that solves one vulnerability, contains two features and has 10 fixes can now be installed. Category: security (important) Bug References: 1185232, 1185261, 1185441, 1185621, 1187071, 1187260, 1193282, 1198458, 1201066, 1202120, 1205588 CVE References: CVE-2022-28737 Jira References: PED-127, PED-1273 Sources used: openSUSE Leap Micro 5.3 (src): shim-15.7-150300.4.11.1 openSUSE Leap 15.4 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.4 (src): shim-15.7-150300.4.11.1 Basesystem Module 15-SP4 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Real Time 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Manager Proxy 4.2 (src): shim-15.7-150300.4.11.1 SUSE Manager Retail Branch Server 4.2 (src): shim-15.7-150300.4.11.1 SUSE Manager Server 4.2 (src): shim-15.7-150300.4.11.1 SUSE Enterprise Storage 7.1 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.1 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.2 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): shim-15.7-150300.4.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.