[opensuse-factory] EFI system won't boot after last Tumbleweed update
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64 The system complains about missing MokManager.efi very early during boot. /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system. A couple of problems here: 1) the BIOS is not instructed to load the correct binary 2) the fallback does not work Is this expected/known issue? Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 8/19/20 1:31 PM, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
I am not having a problem (testing in a KVM virtual machine). To test: 1: I booted normally. 2: I told it to boot the hard drive (should use EFI/boot/bootx64.efi). That did invoke "fallback.efi", and booted normally from there. 3: Deleted a certificate with "mokutil -d" to make sure that MokManager would have something to do. 4: Booted normally. I got the blue screen from MokManager, deleted the key, and rebooted. 5: Again rebooted normally. There were no problems with any of these. As I recall, "shim.efi", "MokManager.efi" and "fallback.efi" were recently updated. So I am using the new versions. Is it possible that you are using mixed versions? The old versions should be identical to those in Leap 15.2. I don't know whether mix and match works. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"? I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. Gary Lin
Thanks
Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/opensuse/shim.efi --------------------------------------------- certificate address is 0x7fc55659fa60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fc5565a1bc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/opensuse/MokManager.efi --------------------------------------------- certificate address is 0x7fb636f0cf68 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Aug 20, 2020 at 08:46:14AM +0200, Michal Suchánek wrote:
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/opensuse/shim.efi --------------------------------------------- certificate address is 0x7fc55659fa60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fc5565a1bc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/opensuse/MokManager.efi --------------------------------------------- certificate address is 0x7fb636f0cf68 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. ---------------------------------------------
Hmmm, so all those EFI images were updated. Will check why bootx64.efi failed to load fallback.efi. Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Aug 20, 2020 at 03:55:20PM +0800, Gary Lin wrote:
On Thu, Aug 20, 2020 at 08:46:14AM +0200, Michal Suchánek wrote:
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- -----8<-----
Hmmm, so all those EFI images were updated. Will check why bootx64.efi failed to load fallback.efi.
I upgraded my Tumbleweed VM from 20200422 to 20200818 and couldn't reproduce the issue. Booting bootx64.efi loaded fallback.efi and then grub2 as expected. It's really strange that bootx64.efi rejected fallback.efi in your system... Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
21.08.2020 05:06, Gary Lin пишет:
On Thu, Aug 20, 2020 at 03:55:20PM +0800, Gary Lin wrote:
On Thu, Aug 20, 2020 at 08:46:14AM +0200, Michal Suchánek wrote:
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- -----8<-----
Hmmm, so all those EFI images were updated. Will check why bootx64.efi failed to load fallback.efi.
I upgraded my Tumbleweed VM from 20200422 to 20200818 and couldn't reproduce the issue. Booting bootx64.efi loaded fallback.efi and then grub2 as expected. It's really strange that bootx64.efi rejected fallback.efi in your system...
Similar problem was reported also on forums. https://forums.opensuse.org/showthread.php/543433-update-killed-bootloader -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
21.08.2020 05:06, Gary Lin пишет:
On Thu, Aug 20, 2020 at 03:55:20PM +0800, Gary Lin wrote:
On Thu, Aug 20, 2020 at 08:46:14AM +0200, Michal Suchánek wrote:
On Thu, Aug 20, 2020 at 09:43:45AM +0800, Gary Lin wrote:
On Wed, Aug 19, 2020 at 08:31:44PM +0200, Michal Suchánek wrote:
openSUSE-release-20200810-660.1.x86_64 -> openSUSE-release-20200817-666.1.x86_64
The system complains about missing MokManager.efi very early during boot.
/boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/fallback.efi /boot/efi/EFI/opensuse/MokManager.efi /boot/efi/EFI/opensuse/boot.csv /boot/efi/EFI/opensuse/grub.cfg /boot/efi/EFI/opensuse/grub.efi /boot/efi/EFI/opensuse/grubx64.efi /boot/efi/EFI/opensuse/shim.efi
Booting EFI/boot/bootx64.efi reproduces the error, booting EFI/opensuse/shim.efi loads the system.
A couple of problems here:
1) the BIOS is not instructed to load the correct binary 2) the fallback does not work
Is this expected/known issue?
What's the output of "pesign -S -i /boot/efi/EFI/boot/bootx64.efi" and "pesign -S -i /boot/efi/EFI/boot/fallback.efi"?
I wonder if fallback.efi wasn't updated correctly and bootx64.efi (shim) rejected it due to the revoked signkey. # pesign -S -i /boot/efi/EFI/boot/bootx64.efi
certificate address is 0x7fa0783bca60 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Microsoft Windows UEFI Driver Publisher No signer email address. No signing time included. There were certs or crls included. --------------------------------------------- certificate address is 0x7fa0783bebc8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- # pesign -S -i /boot/efi/EFI/boot/fallback.efi --------------------------------------------- certificate address is 0x7f40e80f5dd0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Mon Aug 10, 2020 There were certs or crls included. --------------------------------------------- -----8<-----
Hmmm, so all those EFI images were updated. Will check why bootx64.efi failed to load fallback.efi.
I upgraded my Tumbleweed VM from 20200422 to 20200818 and couldn't reproduce the issue. Booting bootx64.efi loaded fallback.efi and then grub2 as expected. It's really strange that bootx64.efi rejected fallback.efi in your system...
It was not rejected, it did not even try to load it. I provided more information on https://bugzilla.opensuse.org/show_bug.cgi?id=1175626 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Gary Lin -
Michal Suchánek -
Neil Rickert