[Bug 990650] New: shim.efi with two signatures does not boot with SecureBoot enabled on recent ASUS laptop.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 Bug ID: 990650 Summary: shim.efi with two signatures does not boot with SecureBoot enabled on recent ASUS laptop. Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: bpesavento@infinito.it QA Contact: jsrain@suse.com Found By: --- Blocker: --- Created attachment 685586 --> http://bugzilla.opensuse.org/attachment.cgi?id=685586&action=edit DMI decode for ASUS N551JW Testing Leap 42.2 Alpha3 on ASUS N551JW I had to install with SecureBoot disabled. The installed system didn't boot with SecureBoot enabled until I stripped the second signature from shim.efi according to the procedure outlined in https://en.opensuse.org/openSUSE:UEFI This is mainly to document that a recent firmware from a major manufacturer still has the "single signature" restriction, contrary to common belief (see attached DMI decode). Personally, I can live without SecureBoot. The same problem affects Leap 42.1 (current shim.efi are the same AFAIK). Further info here: https://forums.opensuse.org/showthread.php/519105-Unable-to-test-Leap-42-2-A... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c1 Andrei Borzenkov <arvidjaar@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arvidjaar@gmail.com --- Comment #1 from Andrei Borzenkov <arvidjaar@gmail.com> --- What is the reason to add SUSE signature to shim? If someone rebuilds system with only SUSE key (removing Microsoft), user can also use provided signed grub.efi directly without shim? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c3 --- Comment #3 from Bruno Pesavento <bpesavento@infinito.it> --- Just for the records, the actual BIOS screen reads "AMI Aptio setup utility 2.15.1236 ©2012", so maybe the BIOS core has not really been updated since 2012 even if the ASUS FW has been updated in April, 2016? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c6 --- Comment #6 from Bruno Pesavento <bpesavento@infinito.it> --- (In reply to Gary Ching-Pang Lin from comment #5)
Hi Bruno,
I probably couldn't do anything to the firmware in this case and would like to close this bug as WONTFIX.
You could drop ASUS a mail and point them to this edk2 commit: https://github.com/tianocore/edk2/commit/ 6de4c35f99f05f1d956538852c1cf003883043fd
Hope they didn't miss any security fixes in recent years...
That's OK with me, but maybe an optional shim_stripped.efi with one signature only might be included, as was on OS 12.x IIRC, so copying it to /boot/efi is easier than having to strip the OpenSUSE signature beforehand. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=990650 http://bugzilla.opensuse.org/show_bug.cgi?id=990650#c7 --- Comment #7 from Bruno Pesavento <bpesavento@infinito.it> --- Contacted Support at ASUS Global pointing to the above commit and to this bug report. I will post here any useful reply. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com