[Bug 950569] New: With the new shim (shim-0.9-3.2) in Tumbleweed, a Dell Inspiron 660 hangs on boot
http://bugzilla.opensuse.org/show_bug.cgi?id=950569 Bug ID: 950569 Summary: With the new shim (shim-0.9-3.2) in Tumbleweed, a Dell Inspiron 660 hangs on boot Classification: openSUSE Product: openSUSE Factory Version: 2015* Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: nwr10cst-oslnx@yahoo.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.21 (KHTML, like Gecko) konqueror/4.14.9 Safari/537.21 Build Identifier: After updating to snapshot 20151012, I get a blank screen on reboot. If I try booting the install DVD (written to a USB), I also get a blank screen. If I disable secure-boot in the firmware, I then get a normal boot menu and am able to boot. If I re-enable secure-boot, I again get a blank screen. As a work-around, I have switched to using the "shim.efi" from opensuse 13.2, which works normally. --- On a different computer (a Lenovo ThinkServer TS140), I am not having any problems with shim-0.9-3.2 Reproducible: Always -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c3
--- Comment #3 from Neil Rickert
So there is nothing but a blank screen? That's bad...
Right. Sometimes there's a cursor at the top left, if I remember correctly.
Did you use shim.efi from openSUSE 13.2 DVD or the updated one?
The updated one. This was from 13.2 installed in a different partition on the same computer. To be more precise, I used "shim.efi", "grub.efi" and "MokManager.efi" from 13.2. I took those to be a matched set. But I can experiment with just one of those at a time if that would be useful. When I first booted after the update, it looked to me as if the firmware was freezing. So I powered off, powered on, and hit F2 to get into BIOS settings. That's when I tried turning off secure-boot. When that worked, it suggested a "shim" problem. So I experimented booting the DVD iso (on USB) with secure-boot on and off. And then I put back the ".efi" files from 13.2 to get things working. During my tests, I found that CTRL-ALT-DEL does reboot when the system is sitting on that blank screen. I'm not sure how to test what is going on. I think you would need a debugging version of "shim.efi" and it would need to be signed by Microsoft to be able to test with secure-boot -- unless there's a way of chaining a debug version from a working shim.efi, and have the debug version signed with a MokManager key. (I do have my own key installed, though I am not currently using it on this machine). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c4
Achim Gratz
ll /boot/efi/EFI/* /boot/efi/EFI/boot: total 1204 -rwxrwxr-x 1 root root 1157056 15. Okt 22:29 bootx64.efi -rwxrwxr-x 1 root root 71672 15. Okt 22:29 fallback.efi
/boot/efi/EFI/grub: total 3456 -rwxrwxr-x 1 root root 50 8. Okt 22:29 boot.csv -rwxrwxr-x 1 root root 155 8. Okt 22:29 grub.cfg -rwxrwxr-x 1 root root 965472 8. Okt 22:29 grub.efi -rwxrwxr-x 1 root root 1276328 8. Okt 22:29 MokManager.efi -rwxrwxr-x 1 root root 1286112 8. Okt 22:29 shim.efi /boot/efi/EFI/opensuse: total 3416 -rwxrwxr-x 1 root root 58 15. Okt 22:29 boot.csv -rwxrwxr-x 1 root root 155 15. Okt 22:29 grub.cfg -rwxrwxr-x 1 root root 965472 15. Okt 22:29 grub.efi -rwxrwxr-x 1 root root 200704 15. Okt 22:29 grubx64.efi -rwxrwxr-x 1 root root 1161312 15. Okt 22:29 MokManager.efi -rwxrwxr-x 1 root root 1157056 15. Okt 22:29 shim.efi
cat /boot/efi/EFI/grub/boot.csv shim.efi,grub-secureboot
cat /boot/efi/EFI/opensuse/boot.csv shim.efi,opensuse-secureboot
efibootmgr -v BootCurrent: 0001 Timeout: 0 seconds BootOrder: 0000,0001,0008,0009,000A Boot0000 opensuse-secureboot HD(1,GPT,12345678-9abc-def0-1234-56789abcdef0,0x800,0x4e000)/File(\EFI\opensuse\shim.efi) Boot0001* grub-secureboot HD(1,GPT,12345678-9abc-def0-1234-56789abcdef0,0x800,0x4e000)/File(\EFI\grub\shim.efi) Boot0008* Onboard NIC(IPV4) PciRoot(0x0)/Pci(0x19,0x0)/MAC(0123456789ab,0)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)AMBO Boot0009* Onboard NIC(IPV6) PciRoot(0x0)/Pci(0x19,0x0)/MAC(0123456789ab,0)/IPv6([::]:<->[::]:,0,0)AMBO Boot000A* UEFI: Crucial_CT1024M550SSD1 PciRoot(0x0)/Pci(0x1f,0x2)/Sata(4,32768,0)/HD(1,GPT,12345678-9abc-def0-1234-56789abcdef0,0x800,0x4e000)AMBO
The symptoms are as described in the other reports: the screen goes blank and nothing happens. I can Ctrl-Alt-Del most of the time to get another reboot, but if I pre Enter or do anything else on the keyboard (based on the assumption that I just don't see anything on the screen) I'll have to switch off. The grub.cfg is identical for both versions. The only other notable difference is the presence of a grubx64.efi, but I don't think it's even used. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c5
--- Comment #5 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c6
patrick shanahan
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c7
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c11
--- Comment #11 from Neil Rickert
# mokutil --set-verbosity true
With the good shim.efi (from 13.2), I get a blue window that says "Verification succeeded" (or similar -- I didn't write that down) With the bad shim.efi from 20151012, I get: UEFI SHIM $Version: 0.9 Build Machine: GNU/Linux$ $Commit: c340e8ce10ada28b30927e703cb62e9368cc1b9d That was manually transcribed, so I could have miscopied a character or two. I also tried with "grub.efi" and "MokManager.efi" from 20151012, but "shim.efi" from 13.2. That works. But "shim.efi" from 20151012 doesn't work, even if the other files are from 13.2. And "shim.efi" from 20151014 behaves the same as the one from 20151012. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c12
--- Comment #12 from Neil Rickert
Correcting order provides proper boot as expected but boot screen image has reverted to three ascii chars center of screen instead of displaying an image.
Yes, I'm getting that. But I don't think it is related to the "shim" problem. It's probably an issue with Plymouth. When this last happened, it was said to be a problem with the Intel graphics driver (I am using Intel graphics). And for me, it is intermittent -- I sometimes get the graphic plymouth screen and sometimes the text screen (with 3 green blobs). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c14
Neil Rickert
Could you try the attached shim and see if it also crashes?
It doesn't actually do anything. The firmware says "Secure Boot violation", and then it boots the next boot choice in the boot order. I could turn off secure-boot if you want me to try that. But since shim works with secure-boot disable, I don't know if we would be testing anything useful. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c16
--- Comment #16 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c19
Neil Rickert
unsigned shim without openssl patch
Yes, that one works fine. I'm testing with secure-boot disabled, which I take to be what you wanted. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c22
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c24
Neil Rickert
Is the crash after "Check whitelist" or "Check vendor key"?
I didn't see those. I copied the test-shim to another computer where I am not having problems, and ran it there to see what you were expecting. My guess is that the "mokutil --set-verbosity true" was somehow hiding some of the output. So I reran that with "false" in place of true. On the Dell where the problem shows up, I now see: Check blacklist Check whitelist Parse PKCS#7 Check PKCS#7 signed data Compare OID Verify PKCS7 and then nothing. I did not see a "Check vendor key" as best I can recall. (there are message to hit enter key to continue, which I did not write down). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c25
--- Comment #25 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c26
--- Comment #26 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c30
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c33
--- Comment #33 from Neil Rickert
If my fix is right, you'll see something like "ERR_add_error_vdata: Verify error:" and the verification will continue.
Yes, that's exactly what happens. There are several "ERR_add_error_vdata:" line, including the "Verify error". Then it repeats (probably checking another certificate. Then I get "Welcome to grub" and the boot menu. And then the "ERR_add_*" lines repeat again (probably checking the kernel signature). And then it boots. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
Vincent Untz
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c35
--- Comment #35 from Neil Rickert
Could you try the attached shim?
Yes, "shim-final-fix.efi" works fine. It goes straight to the grub2 menu, and successfully boots the selected entry. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c37
Frank Stulle
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c38
--- Comment #38 from Gary Ching-Pang Lin
I reported problems starting Tumbleweed in the forum: https://forums.opensuse.org/showthread.php/510524-DVD-and-LiveCD-wont-start
I try to boot TW 20151022 KDE Live from a USB key on a PC based on Asus H87M-E mainboard and i5-4570 CPU, with UEFI.
I captured some boot error messages which show up for a fraction of a second just before the GRUB menu. And I was asked to posted them also in this bug report:
Failed to set MokListRT: Not found This message is another bug: https://bugzilla.opensuse.org/show_bug.cgi?id=950801
Welcome to GRUB!
error: file -/EFI/BOOT/x86_64-efi/linux.mod' not found. error: file -/EFI/BOOT/x86_64-efi/ls.mod' not found.
See also: http://susepaste.org/12067695
Frank
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
Michael Chang
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c40
--- Comment #40 from Neil Rickert
Still incorrectly adds opensuse-secureboot efi entry which fails to boot.
It is difficult to see that as incorrect. Perhaps they should have reverted to the previous "shim" until there is a fix available, but that's not for me to decide. You only have that "grub-secureboot" entry because of bug 948866 -- so be happy that you have it at the moment, but once a fixed "shim" is available you should probably delete that boot entry. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
Bill Wayson
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
Arjen de Korte
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
Matthias Gensler
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c41
--- Comment #41 from Achim Gratz
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c42
--- Comment #42 from patrick shanahan
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c43
--- Comment #43 from Neil Rickert
I do not care which should have remained but whichever was added unintentionally or incorrectly *should* have been automagically removed.
Can't be done. The problem is that other distros (arch, for example) use that "grub" directory. It's bad enough that opensuse put something there, though perhaps not a big problem since arch normally doesn't do secure-boot. A cleanup could delete the arch boot setup. Not a good idea. By the way, the new shim.efi from Tumbleweed 20151209 does seem to work for me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c44
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c45
--- Comment #45 from Bill Wayson
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c47
--- Comment #47 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c48
Marcus Furlong
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c49
--- Comment #49 from Marcus Furlong
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c50
--- Comment #50 from Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=950569
http://bugzilla.opensuse.org/show_bug.cgi?id=950569#c51
--- Comment #51 from Marcus Furlong
participants (1)
-
bugzilla_noreply@novell.com