[Bug 1191480] New: Kernel:stable kernel 5.14.10-2.1.g2878fd1 cannot boot due to "bad shim signature"
https://bugzilla.suse.com/show_bug.cgi?id=1191480 Bug ID: 1191480 Summary: Kernel:stable kernel 5.14.10-2.1.g2878fd1 cannot boot due to "bad shim signature" Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: yan.huang@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On openSUSE Tumbleweed 20211005 (with shim 15.4-4.2 and Secure Boot enabled), booting the newest Kernel:stable kernel 5.14.10-2.1.g2878fd1 leads to:
Loading Linux kernel-default-5.14.10-2.g2878fd1-default ... error: ../../grub-core/kern/efi/sb.c:150:bad shim signature. Loading initial ramdisk ... error: ../../grub-core/loader/i386/efi/linux.c.98:you need to load the kernel first.
Press any key to continue..._
The previous Kernel:stable kernel 5.14.9-2.1.gd0ace7f did not have this issue. The issue seems to be similar to the previous boo#1188142 (Kernel 5.13.1 does not boot due to bad shim signature). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c1 --- Comment #1 from Frank Kr�ger <fkrueger@mailbox.org> --- (In reply to Yan Huang from comment #0)
On openSUSE Tumbleweed 20211005 (with shim 15.4-4.2 and Secure Boot enabled), booting the newest Kernel:stable kernel 5.14.10-2.1.g2878fd1 leads to:
Loading Linux kernel-default-5.14.10-2.g2878fd1-default ... error: ../../grub-core/kern/efi/sb.c:150:bad shim signature. Loading initial ramdisk ... error: ../../grub-core/loader/i386/efi/linux.c.98:you need to load the kernel first.
Press any key to continue..._
The previous Kernel:stable kernel 5.14.9-2.1.gd0ace7f did not have this issue.
The issue seems to be similar to the previous boo#1188142 (Kernel 5.13.1 does not boot due to bad shim signature).
Confirmed with TW20201005, shim-15.4-4.2.x86_64 and kernel-default-5.14.10-2.1.g2878fd1.x86_64 from kernel:stable. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c2 --- Comment #2 from Michal Suchanek <msuchanek@suse.com> --- The kernel is signed but pesign signatures are apprently write-only there is no tool to tell you with which key specifically. sbverify --list kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz signature 1 image signature issuers: - /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org image signature certificates: - subject: /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org issuer: /CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org It verifies with the project certificate here: https://build.opensuse.org/projects/Kernel:stable/ssl_certificate sbverify --cert ~/Downloads/ssl_certificate.txt ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz Signature verification OK The kernel package contains etc/uefi/certs/6A4E915C.crt so you can check that mokutil --list contains a certificate with hash starting with 6A4E915C and enroll it if not. Verifies with this certificate as well: openssl x509 --inform DER --outform PEM --in ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/etc/uefi/certs/6A4E915C.crt
/tmp/cert sbverify --cert /tmp/cert ~/Downloads/kernel-default-5.14.10-2.1.g2878fd1.x86_64/usr/lib/modules/5.14.10-2.g2878fd1-default/vmlinuz Signature verification OK
-- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c3 --- Comment #3 from Yan Huang <yan.huang@suse.com> --- The issue persists with the Kernel:stable kernel 5.14.11-1.1.g834dddd. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 Yan Huang <yan.huang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium CC| |anogueiras@yahoo.es, | |glin@suse.com, | |lnussel@suse.com, | |mchang@suse.com Found By|--- |Field Engineer -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c4 --- Comment #4 from Michal Suchanek <msuchanek@suse.com> --- Please verify output of 'mokutil --list' contains a certificate with fingerprint starting with 6A4E915C and enroll it if not. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P5 - None Flags| |needinfo?(yan.huang@suse.co | |m) -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c5 --- Comment #5 from Jiri Slaby <jslaby@suse.com> --- Works for me: # mokutil --sb-state SecureBoot enabled # uname -r 5.14.11-20.g834dddd-default # dmesg|grep -i Secure Secure boot enabled integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: c8bdc7ac1a1d85966217fd93ebfc14f4a200b814' -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c6 Yan Huang <yan.huang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(yan.huang@suse.co | |m) | --- Comment #6 from Yan Huang <yan.huang@suse.com> --- Created attachment 853088 --> https://bugzilla.suse.com/attachment.cgi?id=853088&action=edit mokutil --list-enrolled The current state of my system:
# mokutil --sb-state SecureBoot enabled # uname -r 5.14.9-2.gd0ace7f-default # dmesg | grep -i secure [ 0.009083] Secure boot enabled [ 1.461959] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' [ 1.463127] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 6.485674] Bluetooth: hci0: Secure boot is enabled
~~~~~~~~~ The mentioned certificate 6A4E915C.crt has been available only since the kernel 5.14.10-2.1.g2878fd1:
# rpm -q --whatprovides /etc/uefi/certs/6A4E915C.crt kernel-default-5.14.10-2.1.g2878fd1.x86_64 kernel-default-5.14.11-1.1.g834dddd.x86_64
More information about 6A4E915C.crt:
# openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/6A4E915C.crt > /tmp/6A4E915C.crt-pem # openssl x509 -in /tmp/6A4E915C.crt-pem -text | grep -e Before -e After Not Before: Oct 5 16:48:55 2021 GMT Not After : Dec 14 16:48:55 2023 GMT
~~~~~~~~~ The previous, known-to-be-working kernel 5.14.9-2.1.gd0ace7f provided a different certificate 1AA60533.crt: # rpm -q --whatprovides /etc/uefi/certs/1AA60533.crt kernel-default-5.14.9-2.1.gd0ace7f.x86_64 More information about 1AA60533.crt:
# openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/1AA60533.crt > /tmp/1AA60533.crt-pem # openssl x509 -in /tmp/1AA60533.crt-pem -text | grep -e Before -e After Not Before: Aug 11 16:46:49 2019 GMT Not After : Oct 19 16:46:49 2021 GMT
~~~~~~~~~ I tried to enroll the new certificate 6A4E915C.crt:
# mokutil --import /etc/uefi/certs/6A4E915C.crt Already in kernel trusted keyring. Skip /etc/uefi/certs/6A4E915C.crt
However, 6A4E915C.crt is still not seen in "mokutil --list-enrolled" (judging by the certificates' validity) - I attached the output. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c7 Michal Suchanek <msuchanek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS Depends on| |1189841 --- Comment #7 from Michal Suchanek <msuchanek@suse.com> --- It will be enrolled only after reboot. Thanks for verification. There is a problem with enrolling certificates ATM which should be resolved in some weeks. The released tumbleweed kernels should not be affected but the situation is different for the development snapshots. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c8 --- Comment #8 from Michal Suchanek <msuchanek@suse.com> --- Also you might need --ignore-keyring option -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c9 --- Comment #9 from Yan Huang <yan.huang@suse.com> --- Created attachment 853091 --> https://bugzilla.suse.com/attachment.cgi?id=853091&action=edit mokutil --list-enrolled (In reply to Michal Suchanek from comment #8)
Also you might need --ignore-keyring option
Thanks a lot, Michal. The "--ignore-keyring" option worked:
# mokutil --import /etc/uefi/certs/6A4E915C.crt --ignore-keyring input password: input password again:
After reboot, the new certificate 6A4E915C.crt is enrolled (also seen in the attached "mokutil --list-enrolled" output) and the newest Kernel:stable kernel 5.14.11-1.1.g834dddd successfully booted with Secure Boot enabled. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c10 --- Comment #10 from Frank Kr�ger <fkrueger@mailbox.org> --- (In reply to Michal Suchanek from comment #7)
It will be enrolled only after reboot.
Thanks for verification.
There is a problem with enrolling certificates ATM which should be resolved in some weeks.
The released tumbleweed kernels should not be affected but the situation is different for the development snapshots.
JFYI: "sudo mokutil --import /etc/uefi/certs/6A4E915C.crt --ignore-keyring" works also for me after a reboot. Apart from this workaround, which kind of solution is in sight? -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c11 Stephan Hemeier <Sauerlandlinux@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Sauerlandlinux@gmx.de --- Comment #11 from Stephan Hemeier <Sauerlandlinux@gmx.de> --- Same here, with --ignore-keyring I got my key to mok. Before it was always: # mokutil --import /etc/uefi/certs/F2B7BCC9.crt
Already in kernel trusted keyring. Skip /etc/uefi/certs/F2B7BCC9.crt
And not shown in mokutil...... Now after restart, I could enroll the key and all is working. PS: I branch the kernel:stable:backport in my Repo so I have another key. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c12 Michal Suchanek <msuchanek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(jlee@suse.com) --- Comment #12 from Michal Suchanek <msuchanek@suse.com> --- The key should be enrolled automagically but the --ignore-keyring option is not used. If it's now needed to successfully enroll the key it needs to be adde in the scripts. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c13 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jlee@suse.com) | --- Comment #13 from Joey Lee <jlee@suse.com> --- (In reply to Michal Suchanek from comment #12)
The key should be enrolled automagically but the --ignore-keyring option is not used.
If it's now needed to successfully enroll the key it needs to be adde in the scripts.
I prefer to keep the logic for checking keyring (--ignore-keyring option can disable it) but not add it to scripts. This mokutil function be added to prevent that the nvram space be wasted. When a shim and kernel be produced by the same project. The shim should be embedded a openSUSE CA that it can verify the kernel that be signed by openSUSE signkey. And, the kernel is emabedded a openSUSE signkey. So we don't need enroll openSUSE signkey to MOK. It can save limited nvraom space of firmware. About this issue, user installed a kernel be signed by another project (Kernel OBS Project/emailAddress=Kernel@build.opensuse.org, in this case). So shim's embedded CA can not verify the non-openSUSE signed kernel. And, mokutil checks the signkey is in kernel keyring because it be embedded by kernel. So the key can not be auto-enrolled. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c14 --- Comment #14 from Michal Suchanek <msuchanek@suse.com> --- But the key must be auto-enrolled, otherwise the system cannot boot. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c25 --- Comment #25 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2021:3509-1: An update that has 5 recommended fixes can now be installed. Category: recommended (important) Bug References: 1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): suse-module-tools-15.3.13-3.11.1 -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c26 --- Comment #26 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2021:3509-1: An update that has 5 recommended fixes can now be installed. Category: recommended (important) Bug References: 1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: SUSE MicroOS 5.1 (src): suse-module-tools-15.3.13-3.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): suse-module-tools-15.3.13-3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c27 --- Comment #27 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2021:3515-1: An update that has 5 recommended fixes can now be installed. Category: recommended (important) Bug References: 1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: SUSE MicroOS 5.0 (src): suse-module-tools-15.2.15-4.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): suse-module-tools-15.2.15-4.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c28 --- Comment #28 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2021:1406-1: An update that has 5 recommended fixes can now be installed. Category: recommended (important) Bug References: 1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): suse-module-tools-15.2.15-lp152.5.9.1 -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c32 Michal Suchanek <msuchanek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Blocks| |1189841 Depends on|1189841 | Resolution|--- |FIXED --- Comment #32 from Michal Suchanek <msuchanek@suse.com> --- Update released. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c35 --- Comment #35 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2021:3820-1: An update that has 9 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1158817,1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): suse-module-tools-15.0.10-3.12.1 SUSE Linux Enterprise Server 15-LTSS (src): suse-module-tools-15.0.10-3.12.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): suse-module-tools-15.0.10-3.12.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): suse-module-tools-15.0.10-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c36 --- Comment #36 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2021:3869-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): suse-module-tools-15.1.23-3.19.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): suse-module-tools-15.1.23-3.19.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): suse-module-tools-15.1.23-3.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): suse-module-tools-15.1.23-3.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): suse-module-tools-15.1.23-3.19.1 SUSE Enterprise Storage 6 (src): suse-module-tools-15.1.23-3.19.1 SUSE CaaS Platform 4.0 (src): suse-module-tools-15.1.23-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c37 --- Comment #37 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2021:3966-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): suse-module-tools-12.11-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1191480 https://bugzilla.suse.com/show_bug.cgi?id=1191480#c38 --- Comment #38 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2021:3970-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922 CVE References: JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): suse-module-tools-12.6.1-27.6.1 SUSE OpenStack Cloud Crowbar 8 (src): suse-module-tools-12.6.1-27.6.1 SUSE OpenStack Cloud 9 (src): suse-module-tools-12.6.1-27.6.1 SUSE OpenStack Cloud 8 (src): suse-module-tools-12.6.1-27.6.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): suse-module-tools-12.6.1-27.6.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): suse-module-tools-12.6.1-27.6.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): suse-module-tools-12.6.1-27.6.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): suse-module-tools-12.6.1-27.6.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): suse-module-tools-12.6.1-27.6.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): suse-module-tools-12.6.1-27.6.1 HPE Helion Openstack 8 (src): suse-module-tools-12.6.1-27.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com