21.08.2020 05:06, Gary Lin пишет:
On Thu, Aug 20, 2020 at 03:55:20PM +0800, Gary Lin wrote:
On Thu, Aug 20, 2020 at 08:46:14AM +0200, Michal Suchánek wrote:
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- -----8<-----
Hmmm, so all those EFI images were updated. Will check why bootx64.efi failed to load fallback.efi.
I upgraded my Tumbleweed VM from 20200422 to 20200818 and couldn't reproduce the issue. Booting bootx64.efi loaded fallback.efi and then grub2 as expected. It's really strange that bootx64.efi rejected fallback.efi in your system...
It was not rejected, it did not even try to load it. I provided more information on https://bugzilla.opensuse.org/show_bug.cgi?id=1175626 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org