Ubuntu
shim package

Secure Boot failed on Ubuntu 14.04 on Dell E7440

Bug #1489987 reported by alkamid
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

(I'm following instructions from https://help.ubuntu.com/community/UEFI to report this here)

On 2/07/2015 my Ubuntu 14.04 refused to boot because of the Secure Boot check failure. These are apt logs from the period before the failure:

Start-Date: 2015-07-01 16:15:26
Commandline: apt-get install python-igraph
Install: libigraph0:amd64 (0.6.5-5, automatic), python-igraph:amd64 (0.6.5-1), libarpack2:amd64 (3.1.5-2, automatic)
End-Date: 2015-07-01 16:15:28

Start-Date: 2015-06-29 19:24:14
Commandline: apt-get purge -y fonts-dejavu-core
Purge: fonts-dejavu-extra:amd64 (2.34-1ubuntu1), ubuntu-desktop:amd64 (1.325), stellarium-data:amd64 (0.12.4-1), stellarium:amd64 (0.12.4-1), plymouth-label:amd64 (0.8.8-0ubuntu17.1), plymouth-theme-ubuntu-logo:amd64 (0.8.8-0ubuntu17.1), fonts-dejavu-core:amd64 (2.34-1ubuntu1)
End-Date: 2015-06-29 19:24:36

Start-Date: 2015-06-29 19:24:39
Commandline: apt-get install fonts-dejavu-core -y
Install: fonts-dejavu-core:amd64 (2.34-1ubuntu1)
End-Date: 2015-06-29 19:24:42

Start-Date: 2015-06-29 19:24:52
Commandline: apt-get autoremove
Remove: linux-tools-3.13.0-54-generic:amd64 (3.13.0-54.91), linux-tools-3.16.0-39-generic:amd64 (3.16.0-39.53~14.04.1), linux-lts-utopic-tools-3.16.0-39:amd64 (3.16.0-39.53~14.04.1), linux-tools-3.13.0-54:amd64 (3.13.0-54.91)
End-Date: 2015-06-29 19:24:53

/boot/efi/EFI/ubuntu$ ls -l
total 2592
-rwxr-xr-x 1 root root 126 May 18 21:35 grub.cfg
-rwxr-xr-x 1 root root 119296 Jul 2 06:58 grubx64.efi
-rwxr-xr-x 1 root root 1178240 May 18 21:35 MokManager.efi
-rwxr-xr-x 1 root root 1355736 May 18 21:35 shimx64.efi

'efibootmgr -v' does not output anything.

So I didn't even upgrade anything on that day (although I'm not sure when I rebooted). I'm on Dell E7440, Ubuntu is the only OS installed. When I switched off Secure Boot in bios, it booted fine. Is this an indication that my OS was tampered with? If not, might this be a bug?

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: shim 0.8-0ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
Uname: Linux 3.13.0-39-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.13
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Aug 28 19:03:03 2015
Dependencies:

EcryptfsInUse: Yes
InstallationDate: Installed on 2014-10-17 (314 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: shim
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
alkamid (adamkli) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

So just to be sure, you're saying that this was an existing system which was installed with 14.04 and was working fine, then after upgrade, it stopped working?

Please attach to this bug:

 - a copy of /var/log/apt/term.log
 - a directory listing of /boot/efi/EFI/ubuntu/
 - the output of 'efibootmgr -v'

Changed in shim (Ubuntu):
status: New → Incomplete
Revision history for this message
alkamid (adamkli) wrote :

As per @vorlon's request.

description: updated
Revision history for this message
alkamid (adamkli) wrote :

@vorlon correct, this was an existing system and it worked fine.

Revision history for this message
Steve Langasek (vorlon) wrote :

Is the attached file /var/log/apt/term.log? The filename (and the contents) suggests this was /var/log/apt/term.log.1 instead.

Also need the information about the current state of your efi boot partition and firmware settings (/boot/efi/EFI/ubuntu, efibootmgr -v).

Revision history for this message
alkamid (adamkli) wrote :

Yes, it was term.log, but since this all happened two months ago, the relevant log was already archived. I'm now attaching it with the correct name. Also I pasted the other outputs in the original post, but I'll repaste them here as well for clarity:

/boot/efi/EFI/ubuntu$ ls -l
total 2592
-rwxr-xr-x 1 root root 126 May 18 21:35 grub.cfg
-rwxr-xr-x 1 root root 119296 Jul 2 06:58 grubx64.efi
-rwxr-xr-x 1 root root 1178240 May 18 21:35 MokManager.efi
-rwxr-xr-x 1 root root 1355736 May 18 21:35 shimx64.efi

'efibootmgr -v' does not output anything.

Revision history for this message
alkamid (adamkli) wrote :

Steve, please do tell me if my present term.log (which does not cover the time when Secure Boot failed) might be of relevance here. If so, I'll attach it as well.

Revision history for this message
Steve Langasek (vorlon) wrote :

Ok, thanks for the clarification. I overlooked that this problem started affecting you two months ago, I didn't expect a bug report would be based on a boot problem from so long ago.

A few things:
 - your file timestamps date back to May. Can you attach the apt term log for *this* period? (which should be /var/log/apt/term.log.3.gz)
 - you reported this bug against shim 0.8-0ubuntu2, however the files listed in your /boot/efi/EFI/ubuntu directory do not match this version. Do you have the shim-signed package installed at all?
 - your grubx64.efi looks too small to be the one from grub-efi-amd64-signed, by a factor of 4. Do you have grub-efi-amd64-signed installed?
 - if 'efibootmgr -v' returns no results, this means Ubuntu is unable to detect any configured EFI boot options on your system. Did you change your system to boot in BIOS mode, and not just disable secureboot?

Since you report this against shim version 0.8-0ubuntu2, which has not yet been released as an SRU to trusty-updates, this means that you have trusty-proposed enabled and have installed shim from there. There's a good chance that you did this at a time that no corresponding version of shim-signed was available in trusty-proposed, causing this package to be removed from your system. Running systems with -proposed enabled is not generally recommended for end users, and this kind of package removal is an unavoidable consequence of doing so.

Revision history for this message
alkamid (adamkli) wrote :
Revision history for this message
alkamid (adamkli) wrote :

1. I attached the log from May.
2. I have shim-signed 1.9+0.8-0ubuntu2 installed.
3. I don't have grub-efi-amd64-signed installed (and didn't have it when Secure Boot was enabled). Should I?
4. I only disabled secureboot.

You are right about trusty-proposed. I disabled them now.

Revision history for this message
Steve Langasek (vorlon) wrote :

ok, so the term.log.3.gz shows the upgrade from May 18, and it appears that at that time you *did* have grub-efi-amd64-signed installed and probably also shim-signed.

The timestamp on the grubx64.efi is from July 2, which is when you say the problem started. But your apt log for this time period does not show any package changes at that time.

Please also attach /var/log/apt/term.log.2.gz for completeness.

Steve Langasek (vorlon)
tags: added: bot-stop-nagging
Revision history for this message
alkamid (adamkli) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

term.log.2.gz also doesn't show any changes during June that would explain the setup being trashed by the time July arrived.

If you really never had grub-efi-amd64-signed installed, then this should never have worked under SecureBoot.

Please do the following:

 - attach the output of 'dpkg -l 'shim*' 'grub*'
 - sudo apt-get install shim-signed grub-efi-amd64-signed
 - paste the new output of ls -l /boot/efi/EFI/ubuntu

Revision history for this message
alkamid (adamkli) wrote :
Download full text (3.7 KiB)

$ dpkg -l 'shim*' 'grub*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=============================================-===========================-===========================-===============================================================================================
un grub <none> <none> (no description available)
ii grub-common 2.02~beta2-9ubuntu1.3 amd64 GRand Unified Bootloader (common files)
un grub-coreboot <none> <none> (no description available)
un grub-doc <none> <none> (no description available)
un grub-efi <none> <none> (no description available)
ii grub-efi-amd64 2.02~beta2-9ubuntu1.3 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02~beta2-9ubuntu1.3 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
un grub-efi-ia32 <none> <none> (no description available)
un grub-efi-ia64 <none> <none> (no description available)
un grub-emu <none> <none> (no description available)
un grub-ieee1275 <none> <none> (no description available)
un grub-legacy <none> <none> (no description available)
un grub-legacy-doc <none> <none> (no description available)
un grub-linuxbios <none> <none> (no description available)
un grub-pc <none> <none> (no description available)
un grub-xen <none> <none> (no description available)
un grub-yeeloong <none> <none> (no description available)
un grub2 <none> <none> (no description available)
ii grub2-common 2.02~beta2-9ubuntu1.3 amd64 GRand Unified Bootloader (common files for version 2)
ii shim ...

Read more...

Revision history for this message
alkamid (adamkli) wrote :

I enabled Secure Boot and it's working now, thanks for help. But still, I'm absolutely sure that I got this secure boot failure on 02/07 and I had to disable it in order to boot.

Revision history for this message
Steve Langasek (vorlon) wrote :

Ok. Installing grub-efi-amd64-signed was expected to fix the SecureBoot bootability, so this was the problem. The logs provide no explanation of why this package was missing from your system, however, so there's nothing more we can do from this side to track that down. If you can find some explanation for this in your logs, feel free to reopen the bug.

Changed in shim (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.