[Bug 805836] New: SHIM boot loader not installed when UEFI in secure boot mode
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c0 Summary: SHIM boot loader not installed when UEFI in secure boot mode Classification: openSUSE Product: openSUSE 12.3 Version: RC 1 Platform: x86-64 OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: YaST2 AssignedTo: snwint@suse.com ReportedBy: aplanas@novell.com QAContact: jsrain@suse.com Found By: --- Blocker: --- Alberto Planas Dominguez <aplanas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flag| |SHIP_STOPPER? Created an attachment (id=526562) --> (http://bugzilla.novell.com/attachment.cgi?id=526562) y2logs We installed yast2-bootloader 2.23.11 from YaST:Head in a secure boot enabled machine to fix up the boot loader. After selecting the option to enable secure boot yast2 bootloader did not install shim though. It only showed an error saying it cant execute /usr/sbin/grub2-set-default which was actually there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c1 Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |mchang@suse.com --- Comment #1 from Michael Chang <mchang@suse.com> 2013-02-26 04:46:32 UTC --- This is the problem ... 3140 2013-02-25 11:57:12 <3> linux.site(2502) [Interpreter] bootloader/routines/lib_iface.ycp:289 Perl wanted to die: Can't locate object me thod "SetSecureBoot" via package "Bootloader::Library" at /usr/share/YaST2/modules/Bootloader_API.pm line 69. You need updated perl-Bootloader for secure boot as well, could you make sure that .. ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c Michael Chang <mchang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |aplanas@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c Steffen Winterfeldt <snwint@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|snwint@suse.com |mchang@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c2 --- Comment #2 from Michael Chang <mchang@suse.com> 2013-02-26 08:22:28 UTC --- I'm testing driver update disk with yast and perl bootloader from this repo http://download.opensuse.org/repositories/YaST:/Head/openSUSE_12.3/ The hardware is Intel Tunnel Mountain UEFI developer platform with secure boot turn on via enrolling microsoft keys. The net install boots nicely on it and the installation is in progress, please stay tuned and wait my update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c3 --- Comment #3 from Michael Chang <mchang@suse.com> 2013-02-26 08:41:18 UTC --- Created an attachment (id=526810) --> (http://bugzilla.novell.com/attachment.cgi?id=526810) 12.3 DUD with testing secure boot -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c4 --- Comment #4 from Michael Chang <mchang@suse.com> 2013-02-26 08:47:08 UTC --- Hi Alberto, I can finish the secure boot installation with above DUD. Two entries were added to UEFI boot manager opensuse opensuse-secureboot Verified that opensuse entry cannot boot in secure boot enabled and opensuse-secureboot did. Your team-mate Max is my witness (He is watching me closely at work) Please help to confirm the issue on your side, thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c5 --- Comment #5 from Alberto Planas Dominguez <aplanas@novell.com> 2013-02-26 13:40:06 UTC --- Created an attachment (id=526995) --> (http://bugzilla.novell.com/attachment.cgi?id=526995) y2log -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c6 Alberto Planas Dominguez <aplanas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|aplanas@novell.com | --- Comment #6 from Alberto Planas Dominguez <aplanas@novell.com> 2013-02-26 13:44:23 UTC --- We are really close. I installed openSUSE-12.3-NET-x86_64-Build0091-Media.iso with the DUD of #3 and yast2-storage 2.23.6 (using the linuxrc dud feature). The Lenovo X230 is in secure boot mode only, but create only 'opensuse' entry during the installation process. Using GRUB I can't see the shin.efi file in the efi/opensuse directory. If I remove the secure boot option, boot using opensuse entry, and use yast-bootloader to configure the bootloader as a secure boot, now I can see the shim.efi file and the opensuse-secureboot entry. If I configure the BIOS again as a secure boot, I can use opensuse-secureboot to boot the machine, witch is really great. The log for the full process is in #5. A caution here, the Boot001A was created when I called yast-bootloader and set the secure boot option manually. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c7 --- Comment #7 from Alberto Planas Dominguez <aplanas@novell.com> 2013-02-26 15:32:36 UTC --- Max Lin tells me that there is an option during the installation process: Enable Segure Boot Support in the Boot Loader Settings. This works perfectly. I guest that in GA, enable this option automatically when secure boot is enabled in the firmware is a good idea. But in either case, looks like that secure boot is working in openSUSE 12.3 Net installation!! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c8 --- Comment #8 from Michael Chang <mchang@suse.com> 2013-02-27 07:22:19 UTC --- (In reply to comment #7)
Max Lin tells me that there is an option during the installation process: Enable Segure Boot Support in the Boot Loader Settings. This works perfectly.
Good to know that it works on your side as well.
I guest that in GA, enable this option automatically when secure boot is enabled in the firmware is a good idea.
Yeah we can have that done for users automatically via checking the uefi variables. But since this version is rudimentary I didn't introduce all features. We can deliver it by updating yast and more test (stable) ..
But in either case, looks like that secure boot is working in openSUSE 12.3 Net installation!!
Quite interested in grub2 dual boot with windows 8 works or not with secureboot enabled ?? Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c9 --- Comment #9 from Ludwig Nussel <lnussel@suse.com> 2013-02-27 09:15:48 CET --- (In reply to comment #8)
(In reply to comment #7)
I guest that in GA, enable this option automatically when secure boot is enabled in the firmware is a good idea.
Yeah we can have that done for users automatically via checking the uefi variables. But since this version is rudimentary I didn't introduce all features. We can deliver it by updating yast and more test (stable) ..
What is your estimation of how long it takes you to implement that? For openSUSE we don't have more time to test unfortunately. Gold master is next week so any changes needed in the installation workflow have to be submitted this week. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c10 --- Comment #10 from Alberto Planas Dominguez <aplanas@novell.com> 2013-02-27 08:44:08 UTC ---
But in either case, looks like that secure boot is working in openSUSE 12.3 Net installation!!
Quite interested in grub2 dual boot with windows 8 works or not with secureboot enabled ??
You are right. I'll test it today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c11 --- Comment #11 from Michael Chang <mchang@suse.com> 2013-02-27 09:16:44 UTC --- (In reply to comment #9)
(In reply to comment #8)
(In reply to comment #7)
I guest that in GA, enable this option automatically when secure boot is enabled in the firmware is a good idea.
Yeah we can have that done for users automatically via checking the uefi variables. But since this version is rudimentary I didn't introduce all features. We can deliver it by updating yast and more test (stable) ..
What is your estimation of how long it takes you to implement that? For openSUSE we don't have more time to test unfortunately. Gold master is next week so any changes needed in the installation workflow have to be submitted this week.
This week is not possible as we have national holiday (in Taiwan) and I'll take day off at Friday. (One day is enough to implement if things all went smoothly):( I personally consider that feature not really critical, people can easily turn the secureboot on during the installation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c12 --- Comment #12 from Alberto Planas Dominguez <aplanas@novell.com> 2013-02-27 13:56:39 UTC --- With Widnows 8 64 bits and secure boot the process work correctly using the DVD (not live) installation. The resize was correct and the opensuse entries are created too. I think that is a good idea to close this bug as resolved, and create a new one for the one that expect a different behavior from the installer (mark Enable Secure Boot when the system is in secure boot mode) Good work : ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=805836 https://bugzilla.novell.com/show_bug.cgi?id=805836#c13 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #13 from Stephan Kulow <coolo@suse.com> 2013-03-01 11:39:05 CET --- this bug is no longer true, so RESOLVED this. With the current state I would even release, but it would be good to have the remaining problem fixed too -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com