Secure boot failed, claiming boot is against security policy

Bug #1184297 reported by Petter Reinholdtsen on 2013-05-26
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
base-installer (Ubuntu)
High
Stéphane Graber
Precise
High
Stéphane Graber
grub-installer (Ubuntu)
High
Stéphane Graber
Precise
High
Stéphane Graber
grub2 (Ubuntu)
High
Stéphane Graber
Precise
High
Stéphane Graber
grub2-signed (Ubuntu)
High
Stéphane Graber
Precise
High
Stéphane Graber
ubiquity (Ubuntu)
High
Stéphane Graber
Precise
High
Stéphane Graber

Bug Description

--- SRU ---
== Rational ==
Some machines aren't detected as using SecureBoot at installation time, however require SecureBoot post-installation. The easiest way to deal with this is to install shim-signed, grub-efi-amd64-signed and linux-image-signed on every UEFI machine.

== Test case ==
1) Install the 64bit version of Ubuntu on a UEFI machine with SecureBoot disabled
2) Check that linux-image-signed-*, grub-efi-amd64-signed and shim-signed are installed post-install
3) Check that sudo efibootmgr -v reports the Ubuntu entry as booting shimx64.efi

== Regression potential ==
This will significantly widen the range of machines that will boot through the shim so it's not impossible that a shim bug could prevent some of them from booting.
However I don't think this is a huge issue as the livecd itself already boots through shim, so if they managed to install Ubuntu in the first place, it should still work once that change lands.

--- original bug report ---
I've struggled to install Linux on a Packard Bell EasyNote LV11HC, without having to accept the Windows 8 license, and my progress is documented in http://www.linlap.com/packard_bell_easynote_lv . Had to pull the hard drive and install to a USB stick to be able to get into the firmware menu and enable the F12 boot menu. After finally being able to install Ubuntu 13.04 on the hard drive, the UEFI firmware refused to boot the hard drive, claiming it was against the security policy. I was able to boot Ubuntu by powering on again and using F12 to pick the hard drive.

No idea what is wrong, but can help with debugging the next few days before I switch to legacy BIOS and put it into production.

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: shim 0~20120906.bcd0a4e8-0ubuntu4
ProcVersionSignature: Ubuntu 3.8.0-22.33-generic 3.8.11
Uname: Linux 3.8.0-22-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Sun May 26 11:14:38 2013
Dependencies:

InstallationDate: Installed on 2013-05-26 (0 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
MarkForUpload: True
SourcePackage: shim
UpgradeStatus: No upgrade log present (probably fresh install)

After booting using F12, the machine suddenly started booting directly from HD without any manual intervention needed. I did install scim in the mean time, but given that scim-signed already was installed, I doubt it had any effect on this.

Steve Langasek (vorlon) wrote :

So http://mjg59.dreamwidth.org/24869.html explains why you needed to pull the hard drive. It does not explain why you would get an error about security policy. Can you attach the output of the following three commands on the affected machine:

sudo efibootmgr -v
od -tx1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
od -tx1 /sys/firmware/efi/efivars/SecureBootEnforce-59d1c24f-50f1-401a-b101-f33e0daed443

It is also potentially useful to have the contents of these files attached:
/sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f

Changed in shim (Ubuntu):
status: New → Incomplete

[Steve Langasek]
> So http://mjg59.dreamwidth.org/24869.html explains why you needed to
> pull the hard drive.

Yeah. This really suck!

> It does not explain why you would get an error about security
> policy. Can you attach the output of the following three commands
> on the affected machine:
>
> sudo efibootmgr -v
> od -tx1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
> od -tx1 /sys/firmware/efi/efivars/SecureBootEnforce-59d1c24f-50f1-401a-b101-f33e0daed443
>
> It is also potentially useful to have the contents of these files attached:
> /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
> /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f

Sure.

root@mariwan-EasyNote-LV11HC:~# efibootmgr -v
BootCurrent: 0000
Timeout: 2 seconds
BootOrder: 0000
Boot0000* HDD1: HD(1,800,5f000,da6c4276-2f04-4eab-a3e2-4c2be0e3aa63)File(\EFI\ubuntu\grubx64.efi)RC
Boot0001* Atheros Boot Agent BIOS(80,0,95)........................{..............................................
Boot0004* MATSHITA DVD-RAM UJ8E1 BIOS(3,500,da)................-...........A......#...................................
Boot0005* ST500LT012-9WS142 BIOS(2,500,1f)................-...........A......2...................................
root@mariwan-EasyNote-LV11HC:~# od -tx1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
0000000 17 00 00 00 00
0000005
root@mariwan-EasyNote-LV11HC:~# od -tx1 /sys/firmware/efi/efivars/SecureBootEnforce-59d1c24f-50f1-401a-b101-f33e0daed443
0000000 17 00 00 00 00
0000005
root@mariwan-EasyNote-LV11HC:~#

--
Happy hacking
Petter Reinholdtsen

Steve Langasek (vorlon) wrote :

FYI, the contents of the SecureBoot efi variables show that SecureBoot is not enabled on this system at the time this was run. And the efibootmgr output shows that grub is being booted directly, not going through shim-signed, which would not be valid if SecureBoot is enabled. So it looks like this is a problem with shim+grub not being configured correctly on installation.

affects: shim (Ubuntu) → grub-installer (Ubuntu)
Changed in grub-installer (Ubuntu):
importance: Undecided → High
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub-installer (Ubuntu):
status: New → Confirmed
Steve Langasek (vorlon) wrote :

Bug #1195950 appears to be the same issue on different hardware. There definitely seems to be an issue with installs winding up without shim-signed installed when they need to have it.

Steve Langasek (vorlon) wrote :

I've reviewed the KEK and db from this system, and they appear to contain the necessary third-party marketplace key as expected. So the only issue I see is that the system has not been configured to use shim-signed on installation.

Changed in grub-installer (Ubuntu Precise):
status: New → Triaged
Changed in grub-installer (Ubuntu):
status: Confirmed → Triaged
Changed in grub-installer (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04.3

Is there anything I can do to help debug this issue? I left the installer to do its job automatically, and thus do not know what I could have done differently.

Steve Langasek (vorlon) on 2013-07-15
Changed in grub-installer (Ubuntu Precise):
assignee: nobody → Stéphane Graber (stgraber)
Changed in grub-installer (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
Stéphane Graber (stgraber) wrote :

So after some discussion we just had with Colin and Steve, the conclusion is that we'll change grub2 and the installer to always install shim-signed on UEFI machines and have all machines secureboot or not go through the shim at boot time.

That way we won't need to rely on the state of the machine at grub installation time to know which binary to use.

Changed in ubiquity (Ubuntu):
status: New → Triaged
Changed in ubiquity (Ubuntu Precise):
status: New → Triaged
Changed in grub2 (Ubuntu):
status: New → Triaged
Changed in grub2 (Ubuntu Precise):
status: New → Triaged
Changed in grub2 (Ubuntu):
importance: Undecided → High
Changed in grub2 (Ubuntu Precise):
importance: Undecided → High
Changed in ubiquity (Ubuntu):
importance: Undecided → High
Changed in ubiquity (Ubuntu Precise):
importance: Undecided → High
assignee: nobody → Stéphane Graber (stgraber)
Changed in grub2 (Ubuntu Precise):
assignee: nobody → Stéphane Graber (stgraber)
Changed in grub2 (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
Changed in ubiquity (Ubuntu Precise):
milestone: none → ubuntu-12.04.3
Changed in grub2 (Ubuntu Precise):
milestone: none → ubuntu-12.04.3
Changed in ubiquity (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
Changed in grub-installer (Ubuntu):
status: Triaged → In Progress
Changed in grub2 (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub-installer - 1.78ubuntu8

---------------
grub-installer (1.78ubuntu8) saucy; urgency=low

  * Always use grub-efi-amd64-signed on 64bit UEFI systems instead of
    relying on SecureBoot detection. (LP: #1184297)
 -- Stephane Graber <email address hidden> Thu, 18 Jul 2013 15:41:07 -0400

Changed in grub-installer (Ubuntu):
status: In Progress → Fix Released
Changed in grub2-signed (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Stéphane Graber (stgraber)
Changed in grub2-signed (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Stéphane Graber (stgraber)
Changed in grub2-signed (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.00-15ubuntu2

---------------
grub2 (2.00-15ubuntu2) saucy; urgency=low

  * Add ubuntu_shim_by_default.patch that makes any EFI system boot into
    the shim (if installed) even if SecureBoot is disabled. (LP: #1184297)
 -- Stephane Graber <email address hidden> Thu, 18 Jul 2013 15:40:25 -0400

Changed in grub2 (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.15

---------------
grub2-signed (1.15) saucy; urgency=low

  * Rebuild against grub-efi-amd64 2.00-15ubuntu2. (LP: #1184297)
 -- Stephane Graber <email address hidden> Thu, 18 Jul 2013 16:18:49 -0400

Changed in grub2-signed (Ubuntu):
status: In Progress → Fix Released
Changed in ubiquity (Ubuntu):
status: Triaged → In Progress
Changed in grub2-signed (Ubuntu Precise):
milestone: none → ubuntu-12.04.3
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity - 2.15.10

---------------
ubiquity (2.15.10) saucy; urgency=low

  [ Kaj Ailomaa ]
  * Change Ubuntu Studio background in ubiquity-dm.

  [ Jeremy Bicha ]
  * Don't tell automake to install everything to ubiquity-frontend-gtk and
    try to clean up after
  * Reorganize app icon handling
    - Fixes missing app icon in GNOME Shell (LP: #1164573)
    - Use improved icon from Humanity as fallback icon
  * Update *.install files for above changes
  * Fix minor lintian warning by not installing empty /usr/share/applications/

  [ Aurélien Gâteau ]
  * KDE: Set icon theme to Oxygen, shows icons on standalone Ubiquity

  [ Dan Chapman ]
  * Add initial autopilot support! UI testing, brave new world!

  [ Stéphane Graber ]
  * Install the shim and signed grub and kernels by default on all UEFI
    machines instead of relying on the SecureBoot nvram variable.
    (LP: #1184297)
  * Automatic update of included source packages: bterm-unifont 1.3,
    grub-installer 1.78ubuntu8, partconf 1.42, partman-basicmethods 54,
    partman-jfs 40, partman-reiserfs 55, partman-xfs 52.
  * Fix mix tabs/spaces in test_ubiquity_custom.py.
  * Fix autopkgtests not passing pyflakes.
 -- Stephane Graber <email address hidden> Thu, 18 Jul 2013 18:10:17 -0400

Changed in ubiquity (Ubuntu):
status: In Progress → Fix Released
Stéphane Graber (stgraber) wrote :

So it looks like we also need a change to base-installer if we want the signed kernel to be installed (absolutely necessary until shim is fixed to work with unsigned kernels on Lenovo machines).

Changed in ubiquity (Ubuntu):
status: Fix Released → Triaged
Changed in base-installer (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
importance: Undecided → High
status: New → Triaged
Changed in base-installer (Ubuntu Precise):
assignee: nobody → Stéphane Graber (stgraber)
importance: Undecided → High
milestone: none → ubuntu-12.04.3
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.122ubuntu16

---------------
base-installer (1.122ubuntu16) saucy; urgency=low

  * Install the signed kernels on any 64bit UEFI machine. (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 11:30:15 -0400

Changed in base-installer (Ubuntu):
status: Triaged → Fix Released
description: updated
Changed in base-installer (Ubuntu Precise):
status: Triaged → In Progress
Changed in grub2 (Ubuntu Precise):
status: Triaged → In Progress
Changed in grub-installer (Ubuntu Precise):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity - 2.15.11

---------------
ubiquity (2.15.11) saucy; urgency=low

  * Automatic update of included source packages: base-installer
    1.122ubuntu16, partman-newworld 30. (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 13:00:57 -0400

Changed in ubiquity (Ubuntu):
status: Triaged → Fix Released

Hello Petter, or anyone else affected,

Accepted base-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/base-installer/1.122ubuntu7.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in base-installer (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Steve Langasek (vorlon) wrote :

Hello Petter, or anyone else affected,

Accepted grub-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub-installer/1.68ubuntu5.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub-installer (Ubuntu Precise):
status: In Progress → Fix Committed
Steve Langasek (vorlon) wrote :

Hello Petter, or anyone else affected,

Accepted grub2 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2/1.99-21ubuntu3.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in grub2-signed (Ubuntu Precise):
status: Triaged → In Progress
Changed in ubiquity (Ubuntu Precise):
status: Triaged → In Progress
Adam Conrad (adconrad) wrote :

Hello Petter, or anyone else affected,

Accepted grub2-signed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2-signed/1.9~ubuntu12.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2-signed (Ubuntu Precise):
status: In Progress → Fix Committed
Adam Conrad (adconrad) wrote :

Hello Petter, or anyone else affected,

Accepted ubiquity into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubiquity/2.10.26 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubiquity (Ubuntu Precise):
status: In Progress → Fix Committed
Stéphane Graber (stgraber) wrote :

Tested this in OVMF, confirmed that the old precise image wouldn't install the signed packages and would boot an unsigned grub.
The new image (latest daily using proposed) now installs all the signed file and boots through shimx64.

The only difference I noticed is 5 efi disk errors when booting under OVMF, those for some reason only appear with the signed grub but after a bit of debug time with Colin, it seems to be related to two broken floppy images being exposed by OVMF so it shouldn't actually show up on any actual hardware (unless they have a firmware as broken as OVMF).

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.122ubuntu7.3

---------------
base-installer (1.122ubuntu7.3) precise-proposed; urgency=low

  * Install the signed kernels on any 64bit UEFI machine. (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 14:10:26 -0400

Changed in base-installer (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub-installer - 1.68ubuntu5.2

---------------
grub-installer (1.68ubuntu5.2) precise-proposed; urgency=low

  * Always use grub-efi-amd64-signed on 64bit UEFI systems instead of
    relying on SecureBoot detection. (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 14:11:15 -0400

Changed in grub-installer (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 1.99-21ubuntu3.10

---------------
grub2 (1.99-21ubuntu3.10) precise-proposed; urgency=low

  * Add ubuntu_shim_by_default.patch that makes any EFI system boot into
    the shim (if installed) even if SecureBoot is disabled. (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 14:14:16 -0400

Changed in grub2 (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.9~ubuntu12.04.4

---------------
grub2-signed (1.9~ubuntu12.04.4) precise-proposed; urgency=low

  * Rebuild against grub-efi-amd64 1.99-21ubuntu3.10. (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 20:03:16 -0400

Changed in grub2-signed (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity - 2.10.26

---------------
ubiquity (2.10.26) precise-proposed; urgency=low

  * Automatic update of included source packages: base-installer
    1.122ubuntu7.3, grub-installer 1.68ubuntu5.2. (LP: #1184297)
  * Install the shim and signed grub and kernels by default on all UEFI
    machines instead of relying on the SecureBoot nvram variable.
    (LP: #1184297)
 -- Stephane Graber <email address hidden> Fri, 19 Jul 2013 19:59:43 -0400

Changed in ubiquity (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers