[Bug 1185232] something has gone seriously wrong: shim_init() - system does not boot anymore after installing today's updates
https://bugzilla.suse.com/show_bug.cgi?id=1185232
https://bugzilla.suse.com/show_bug.cgi?id=1185232#c57
--- Comment #57 from Gary Ching-Pang Lin
(In reply to Gary Ching-Pang Lin from comment #54)
Did you copy grub.efi to the debug folder? I expected shim failed early as comment#0 so the steps doesn't copy grub.efi to the debug folder. If you did, it's understandable because Leap 15.3 uses grub.efi from SLE15-SP3 directly, so shim-opensuse.efi couldn't verify it with the built-in openSUSE CA.
Anyway it seems your case is different from comment#0.
I did it strictly as in your tutorial:
1. Create a directory for the debug shim and copy grub.efi to that directoy: # cd /boot/efi/EFI # mkdir debug # cp opensuse/grub.efi debug
Oops, my bad. Anyway, the error message is caused by the change of signkey for grub.efi, so that's expected.
rene@localhost:~> ls -l /boot/efi/EFI/debug/ total 2112 -rwxr-xr-x 1 root root 1222656 Jun 1 15:05 grub.efi -rwxr-xr-x 1 root root 930824 Jun 1 15:09 shim.efi
localhost:~ # md5sum /boot/efi/EFI/debug/* 0daa63c6a804524716fbcd4e7bf407d4 /boot/efi/EFI/debug/grub.efi 1cf53f72d15b402924e0d7df884812f7 /boot/efi/EFI/debug/shim.efi
localhost:~ # md5sum /boot/efi/EFI/opensuse/* 93d0a39fa28ce160d08da037bd45f083 /boot/efi/EFI/opensuse/MokManager.efi 1191fbb59492fedea2776dab6f7c8343 /boot/efi/EFI/opensuse/boot.csv 91bd139eb985983650ab808809ea9656 /boot/efi/EFI/opensuse/grub.cfg 0daa63c6a804524716fbcd4e7bf407d4 /boot/efi/EFI/opensuse/grub.efi d6bfdc568c32902c7405b163c86b38d0 /boot/efi/EFI/opensuse/grubx64.efi 8a1f940a8662d67482fe9f6327925f59 /boot/efi/EFI/opensuse/shim.efi
... You can check the system status with the following commands:
# hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c # hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
For a Secure Boot enabled UEFI firmware, SetupMode should be "06 00 00 00 00" and SecureBoot should be "06 00 00 00 01".
localhost:~ # hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c 00000000 06 00 00 00 01 |.....| 00000005 localhost:~ # hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 00000000 06 00 00 00 00 |.....| 00000005
Hmmmm, so your firmware actually doesn't enable Secure Boot.
localhost:~ # grep -i secure /etc/sysconfig/bootloader # Enable UEFI Secure Boot support # This setting is only relevant to UEFI which supports Secure Boot. It won't SECURE_BOOT="yes" This just makes yast to install shim to support Secure Boot. The real status of SB is controlled by the firmware.
-- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com