http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c4 Achim Gratz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Stromeko@NexGo.DE --- Comment #4 from Achim Gratz --- I am having the same problems on a Dell T20 (both with BIOS version A05 and A06). The previous boot entry grub-secureboot works without problems. I have not tried non-secure boot yet since that requires changing some more settings in the BIOS.

ll /boot/efi/EFI/* /boot/efi/EFI/boot: total 1204 -rwxrwxr-x 1 root root 1157056 15. Okt 22:29 bootx64.efi -rwxrwxr-x 1 root root 71672 15. Okt 22:29 fallback.efi

/boot/efi/EFI/grub: total 3456 -rwxrwxr-x 1 root root 50 8. Okt 22:29 boot.csv -rwxrwxr-x 1 root root 155 8. Okt 22:29 grub.cfg -rwxrwxr-x 1 root root 965472 8. Okt 22:29 grub.efi -rwxrwxr-x 1 root root 1276328 8. Okt 22:29 MokManager.efi -rwxrwxr-x 1 root root 1286112 8. Okt 22:29 shim.efi /boot/efi/EFI/opensuse: total 3416 -rwxrwxr-x 1 root root 58 15. Okt 22:29 boot.csv -rwxrwxr-x 1 root root 155 15. Okt 22:29 grub.cfg -rwxrwxr-x 1 root root 965472 15. Okt 22:29 grub.efi -rwxrwxr-x 1 root root 200704 15. Okt 22:29 grubx64.efi -rwxrwxr-x 1 root root 1161312 15. Okt 22:29 MokManager.efi -rwxrwxr-x 1 root root 1157056 15. Okt 22:29 shim.efi

cat /boot/efi/EFI/grub/boot.csv shim.efi,grub-secureboot

cat /boot/efi/EFI/opensuse/boot.csv shim.efi,opensuse-secureboot

efibootmgr -v BootCurrent: 0001 Timeout: 0 seconds BootOrder: 0000,0001,0008,0009,000A Boot0000 opensuse-secureboot HD(1,GPT,12345678-9abc-def0-1234-56789abcdef0,0x800,0x4e000)/File(\EFI\opensuse\shim.efi) Boot0001* grub-secureboot HD(1,GPT,12345678-9abc-def0-1234-56789abcdef0,0x800,0x4e000)/File(\EFI\grub\shim.efi) Boot0008* Onboard NIC(IPV4) PciRoot(0x0)/Pci(0x19,0x0)/MAC(0123456789ab,0)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)AMBO Boot0009* Onboard NIC(IPV6) PciRoot(0x0)/Pci(0x19,0x0)/MAC(0123456789ab,0)/IPv6([::]:<->[::]:,0,0)AMBO Boot000A* UEFI: Crucial_CT1024M550SSD1 PciRoot(0x0)/Pci(0x1f,0x2)/Sata(4,32768,0)/HD(1,GPT,12345678-9abc-def0-1234-56789abcdef0,0x800,0x4e000)AMBO

The symptoms are as described in the other reports: the screen goes blank and nothing happens. I can Ctrl-Alt-Del most of the time to get another reboot, but if I pre Enter or do anything else on the keyboard (based on the assumption that I just don't see anything on the screen) I'll have to switch off. The grub.cfg is identical for both versions. The only other notable difference is the presence of a grubx64.efi, but I don't think it's even used. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c6 patrick shanahan changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paka@wahoo.no-ip.org --- Comment #6 from patrick shanahan --- Responding to c#5, re c#4 I have the same with an ascer aspire iv which does not have a dell bios Previous had two efi boot entries, grub-secure-boot Microsoft-secure-boot I now have three opensuse-secure-boot opensuse-secure-boot is default and provides blank back-lit screen with blinking cursor in upper left corner. 45 minutes later the same display Selecting the second, grub-.., successfully boots. If it is a dell bios problem, it is also an acer bios problem. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c11 --- Comment #11 from Neil Rickert --- (Replying to Gary Lin, comment #8)

# mokutil --set-verbosity true

With the good shim.efi (from 13.2), I get a blue window that says "Verification succeeded" (or similar -- I didn't write that down) With the bad shim.efi from 20151012, I get: UEFI SHIM $Version: 0.9 Build Machine: GNU/Linux$ $Commit: c340e8ce10ada28b30927e703cb62e9368cc1b9d That was manually transcribed, so I could have miscopied a character or two. I also tried with "grub.efi" and "MokManager.efi" from 20151012, but "shim.efi" from 13.2. That works. But "shim.efi" from 20151012 doesn't work, even if the other files are from 13.2. And "shim.efi" from 20151014 behaves the same as the one from 20151012. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c14 Neil Rickert changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nwr10cst-oslnx@ya | |hoo.com) | --- Comment #14 from Neil Rickert --- (replying to Gary Lin at comment #13)

Could you try the attached shim and see if it also crashes?

It doesn't actually do anything. The firmware says "Secure Boot violation", and then it boots the next boot choice in the boot order. I could turn off secure-boot if you want me to try that. But since shim works with secure-boot disable, I don't know if we would be testing anything useful. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c19 Neil Rickert changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nwr10cst-oslnx@ya | |hoo.com) | --- Comment #19 from Neil Rickert --- (repling to Gary Lin at comment #18)

unsigned shim without openssl patch

Yes, that one works fine. I'm testing with secure-boot disabled, which I take to be what you wanted. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c24 Neil Rickert changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nwr10cst-oslnx@ya | |hoo.com) | --- Comment #24 from Neil Rickert ---

Is the crash after "Check whitelist" or "Check vendor key"?

I didn't see those. I copied the test-shim to another computer where I am not having problems, and ran it there to see what you were expecting. My guess is that the "mokutil --set-verbosity true" was somehow hiding some of the output. So I reran that with "false" in place of true. On the Dell where the problem shows up, I now see: Check blacklist Check whitelist Parse PKCS#7 Check PKCS#7 signed data Compare OID Verify PKCS7 and then nothing. I did not see a "Check vendor key" as best I can recall. (there are message to hit enter key to continue, which I did not write down). -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c26 --- Comment #26 from Neil Rickert --- Created attachment 652735 --> http://bugzilla.opensuse.org/attachment.cgi?id=652735&action=edit requested file /sys/firmware/efi/efivars/dbx-* -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c33 --- Comment #33 from Neil Rickert ---

If my fix is right, you'll see something like "ERR_add_error_vdata: Verify error:" and the verification will continue.

Yes, that's exactly what happens. There are several "ERR_add_error_vdata:" line, including the "Verify error". Then it repeats (probably checking another certificate. Then I get "Welcome to grub" and the boot menu. And then the "ERR_add_*" lines repeat again (probably checking the kernel signature). And then it boots. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c35 --- Comment #35 from Neil Rickert ---

Could you try the attached shim?

Yes, "shim-final-fix.efi" works fine. It goes straight to the grub2 menu, and successfully boots the selected entry. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c37 Frank Stulle changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |knarf@stulle-hamburg.de --- Comment #37 from Frank Stulle --- I reported problems starting Tumbleweed in the forum: https://forums.opensuse.org/showthread.php/510524-DVD-and-LiveCD-wont-start I try to boot TW 20151022 KDE Live from a USB key on a PC based on Asus H87M-E mainboard and i5-4570 CPU, with UEFI. I captured some boot error messages which show up for a fraction of a second just before the GRUB menu. And I was asked to posted them also in this bug report: Failed to set MokListRT: Not found Welcome to GRUB! error: file -/EFI/BOOT/x86_64-efi/linux.mod' not found. error: file -/EFI/BOOT/x86_64-efi/ls.mod' not found. See also: http://susepaste.org/12067695 Frank -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 Michael Chang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mchang@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 Bill Wayson changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bill_wayson@yahoo.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 Matthias Gensler changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gensler@gmx.de -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c42 --- Comment #42 from patrick shanahan --- I also can boot my acer aspire 5 w/o rearranging order but still have an "extra" entry: acer: ~ # efibootmgr BootCurrent: 0003 Timeout: 2 seconds BootOrder: 0003,0002,0001 Boot0001* Windows Boot Manager Boot0002* grub-secureboot Boot0003* opensuse-secureboot I confirmed that 0002 would also boot and then removed 0002: acer: ~ # efibootmgr -b 2 -B BootCurrent: 0002 Timeout: 2 seconds BootOrder: 0003,0001 Boot0001* Windows Boot Manager Boot0003* opensuse-secureboot and now have: acer: ~ # efibootmgr BootCurrent: 0002 Timeout: 2 seconds BootOrder: 0003,0001 Boot0001* Windows Boot Manager Boot0003* opensuse-secureboot fwiw, I do not care which should have remained but whichever was added unintentionally or incorrectly *should* have been automagically removed. The incorrect situation was aleviated but not completely corrected. One *should* clean their trash. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c44 Gary Ching-Pang Lin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #44 from Gary Ching-Pang Lin --- OK. Since we got the confirmation that the new shim fixed the issue, I am going to close this bug. If anyone found the similar problem again, feel free to reopeon this bug. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c47 --- Comment #47 from Neil Rickert --- Just a note. I've installed today's update. However, it did not reinstall shim. So the updated "shim.efi" is in "/usr/lib64/efi", but it is not in "/boot/efi/EFI/opensuse". Not a problem. I can copy it there (I have done that, actually). I think there's another update due shortly for bug 954126 so I hope that one at least updates the EFI boot entries. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c49 --- Comment #49 from Marcus Furlong --- Created attachment 660634 --> http://bugzilla.opensuse.org/attachment.cgi?id=660634&action=edit shim hanging at boot -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=950569 http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c51 --- Comment #51 from Marcus Furlong --- Thanks, also following that bug :-) Indeed, manually running shim-install installs the new shim and the original issue does not occur. -- You are receiving this mail because: You are on the CC list for the bug.