[TW] SB shim seems to be broken
Hey, tried to install TW today on a secondary machine, but the Install ISO and installed system don't boot because my Firmware tells me the shim can't be verified: security violation. and shuts off. Running this on the latest Dell Latitude 5490 UEFI firmware (as of today - 1.28.0) with only the MS and MS third-party key in the database.
On 04.07.2023 15:28, Richard Rahl wrote:
Hey, tried to install TW today on a secondary machine, but the Install ISO and installed system don't boot because my Firmware tells me the shim can't be verified: security violation. and shuts off.
Running this on the latest Dell Latitude 5490 UEFI firmware (as of today - 1.28.0) with only the MS and MS third-party key in the database.
Have you ever booted any other Linux (like Leap 15.5 ISO) on this system? Tumbleweed is using old shim; the question is who blacklists it.
Yes, leap 15.5 is fine in booting with SB enabled. Also any other distro I tried works fine (debian11 and debian12)
On Wed, Jul 5, 2023 at 9:41 AM Richard Rahl <rrahl0@proton.me> wrote:
Yes, leap 15.5 is fine in booting with SB enabled. Also any other distro I tried works fine (debian11 and debian12)
https://bugzilla.suse.com/show_bug.cgi?id=1209985 Leap shim installs the permanent UEFI variable that blacklists too old shim still used in Tumbleweed. This variable is boot time only (you cannot remove it from within loaded Linux), you must use mokutil. It is possible to remove this variable and set another variable that will prevent shim from installing too aggressive a policy. You need a live image with recent enough shim and mokutil. But yes, right now Leap and Tumbleweed on the same system with secure boot is a challenge. It may change after kernel 6.4 is released (this kernel implements lockdown with Secure Boot which is the mandatory requirement for Mirosoft to sign new shim).
participants (2)
-
Andrei Borzenkov -
Richard Rahl