On Thu, Aug 20, 2020 at 08:46:14AM +0200, Michal Suchánek wrote:
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/opensuse/shim.efi --------------------------------------------- certificate address is 0x7fc55659fa60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fc5565a1bc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/opensuse/MokManager.efi --------------------------------------------- certificate address is 0x7fb636f0cf68 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. ---------------------------------------------
Hmmm, so all those EFI images were updated. Will check why bootx64.efi failed to load fallback.efi. Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org