[Bug 1191480] New: Kernel:stable kernel 5.14.10-2.1.g2878fd1 cannot boot due to "bad shim signature"
https://bugzilla.suse.com/show_bug.cgi?id=1191480 Bug ID: 1191480 Summary: Kernel:stable kernel 5.14.10-2.1.g2878fd1 cannot boot due to "bad shim signature" Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: yan.huang@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On openSUSE Tumbleweed 20211005 (with shim 15.4-4.2 and Secure Boot enabled), booting the newest Kernel:stable kernel 5.14.10-2.1.g2878fd1 leads to:
Loading Linux kernel-default-5.14.10-2.g2878fd1-default ... error: ../../grub-core/kern/efi/sb.c:150:bad shim signature. Loading initial ramdisk ... error: ../../grub-core/loader/i386/efi/linux.c.98:you need to load the kernel first.
Press any key to continue..._
The previous Kernel:stable kernel 5.14.9-2.1.gd0ace7f did not have this issue. The issue seems to be similar to the previous boo#1188142 (Kernel 5.13.1 does not boot due to bad shim signature). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
Yan Huang
https://bugzilla.suse.com/show_bug.cgi?id=1191480
Yan Huang
https://bugzilla.suse.com/show_bug.cgi?id=1191480
Takashi Iwai
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c1
--- Comment #1 from Frank Kr�ger
On openSUSE Tumbleweed 20211005 (with shim 15.4-4.2 and Secure Boot enabled), booting the newest Kernel:stable kernel 5.14.10-2.1.g2878fd1 leads to:
Loading Linux kernel-default-5.14.10-2.g2878fd1-default ... error: ../../grub-core/kern/efi/sb.c:150:bad shim signature. Loading initial ramdisk ... error: ../../grub-core/loader/i386/efi/linux.c.98:you need to load the kernel first.
Press any key to continue..._
The previous Kernel:stable kernel 5.14.9-2.1.gd0ace7f did not have this issue.
The issue seems to be similar to the previous boo#1188142 (Kernel 5.13.1 does not boot due to bad shim signature).
Confirmed with TW20201005, shim-15.4-4.2.x86_64 and kernel-default-5.14.10-2.1.g2878fd1.x86_64 from kernel:stable. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c2
--- Comment #2 from Michal Suchanek
/tmp/cert sbverify --cert /tmp/cert ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz Signature verification OK
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c3
--- Comment #3 from Yan Huang
https://bugzilla.suse.com/show_bug.cgi?id=1191480
Yan Huang
https://bugzilla.suse.com/show_bug.cgi?id=1191480
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c4
--- Comment #4 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
Jiri Slaby
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c5
--- Comment #5 from Jiri Slaby
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c6
Yan Huang
# mokutil --sb-state SecureBoot enabled # uname -r 5.14.9-2.gd0ace7f-default # dmesg | grep -i secure [ 0.009083] Secure boot enabled [ 1.461959] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' [ 1.463127] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 6.485674] Bluetooth: hci0: Secure boot is enabled
~~~~~~~~~ The mentioned certificate 6A4E915C.crt has been available only since the kernel 5.14.10-2.1.g2878fd1:
# rpm -q --whatprovides /etc/uefi/certs/6A4E915C.crt kernel-default-5.14.10-2.1.g2878fd1.x86_64 kernel-default-5.14.11-1.1.g834dddd.x86_64
More information about 6A4E915C.crt:
# openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/6A4E915C.crt > /tmp/6A4E915C.crt-pem # openssl x509 -in /tmp/6A4E915C.crt-pem -text | grep -e Before -e After Not Before: Oct 5 16:48:55 2021 GMT Not After : Dec 14 16:48:55 2023 GMT
~~~~~~~~~ The previous, known-to-be-working kernel 5.14.9-2.1.gd0ace7f provided a different certificate 1AA60533.crt: # rpm -q --whatprovides /etc/uefi/certs/1AA60533.crt kernel-default-5.14.9-2.1.gd0ace7f.x86_64 More information about 1AA60533.crt:
# openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/1AA60533.crt > /tmp/1AA60533.crt-pem # openssl x509 -in /tmp/1AA60533.crt-pem -text | grep -e Before -e After Not Before: Aug 11 16:46:49 2019 GMT Not After : Oct 19 16:46:49 2021 GMT
~~~~~~~~~ I tried to enroll the new certificate 6A4E915C.crt:
# mokutil --import /etc/uefi/certs/6A4E915C.crt Already in kernel trusted keyring. Skip /etc/uefi/certs/6A4E915C.crt
However, 6A4E915C.crt is still not seen in "mokutil --list-enrolled" (judging by the certificates' validity) - I attached the output. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c7
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c8
--- Comment #8 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c9
--- Comment #9 from Yan Huang
Also you might need --ignore-keyring option
Thanks a lot, Michal. The "--ignore-keyring" option worked:
# mokutil --import /etc/uefi/certs/6A4E915C.crt --ignore-keyring input password: input password again:
After reboot, the new certificate 6A4E915C.crt is enrolled (also seen in the attached "mokutil --list-enrolled" output) and the newest Kernel:stable kernel 5.14.11-1.1.g834dddd successfully booted with Secure Boot enabled. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c10
--- Comment #10 from Frank Kr�ger
It will be enrolled only after reboot.
Thanks for verification.
There is a problem with enrolling certificates ATM which should be resolved in some weeks.
The released tumbleweed kernels should not be affected but the situation is different for the development snapshots.
JFYI: "sudo mokutil --import /etc/uefi/certs/6A4E915C.crt --ignore-keyring" works also for me after a reboot. Apart from this workaround, which kind of solution is in sight? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c11
Stephan Hemeier
Already in kernel trusted keyring. Skip /etc/uefi/certs/F2B7BCC9.crt
And not shown in mokutil...... Now after restart, I could enroll the key and all is working. PS: I branch the kernel:stable:backport in my Repo so I have another key. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c12
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c13
Joey Lee
The key should be enrolled automagically but the --ignore-keyring option is not used.
If it's now needed to successfully enroll the key it needs to be adde in the scripts.
I prefer to keep the logic for checking keyring (--ignore-keyring option can disable it) but not add it to scripts. This mokutil function be added to prevent that the nvram space be wasted. When a shim and kernel be produced by the same project. The shim should be embedded a openSUSE CA that it can verify the kernel that be signed by openSUSE signkey. And, the kernel is emabedded a openSUSE signkey. So we don't need enroll openSUSE signkey to MOK. It can save limited nvraom space of firmware. About this issue, user installed a kernel be signed by another project (Kernel OBS Project/emailAddress=Kernel@build.opensuse.org, in this case). So shim's embedded CA can not verify the non-openSUSE signed kernel. And, mokutil checks the signkey is in kernel keyring because it be embedded by kernel. So the key can not be auto-enrolled. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c14
--- Comment #14 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c25
--- Comment #25 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c26
--- Comment #26 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c27
--- Comment #27 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c28
--- Comment #28 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c32
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c35
--- Comment #35 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c36
--- Comment #36 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c37
--- Comment #37 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1191480
https://bugzilla.suse.com/show_bug.cgi?id=1191480#c38
--- Comment #38 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com