I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1) on arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually running commands in the GRUB shell to try and get more info, and here's the error I get:
This is better then it was previously - shim used to crash before starting GRUB (bug 1811901 and bug 1811722). But obviously there are still issues somewhere. Prior to this shim binary being signed, I believe I had tested the unsigned binary in a VM using a custom signing certificate. I think I still have that VM around, so I maybe able to use it for comparison.
= My setup =
I tried to make this test simulate a real setup as much as possible. Here's roughly what I did:
Installed an arm64 server w/ bionic
# need a new QEMU for EnrollDefaultKeys.efi
sudo apt-add-repository cloud-archive:train
sudo apt update
sudo apt install uvtool
sudo gpasswd -a ubuntu libvirt
# log out/back in
# no focal images yet
uvt-simplestreams-libvirt -v sync release=eoan
uvt-kvm create focal arch=arm64 release=eoan
uvt-kvm wait focal
uvt-kvm ssh focal
guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list
guest> # Also enabled focal-proposed to get latest shim-signed
guest> sudo apt update
guest> sudo apt dist-upgrade
guest> sudo apt install shim-signed
guest> sudo grub-install
# On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of
# EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in the EFI
# system partition
guest> sudo poweroff
virsh edit focal
# Add the following to inject the Pk/KEK keys:
# <qemu:commandline>
# <qemu:arg value='-smbios'/>
# <qemu:arg value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/>
# </qemu:commandline>
#
virsh start focal; virsh console focal
# Interrupt focal boot, drop to an EFI shell, then ran the following
# which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
Shell> fs0:
FS0:\> EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
FS0:\> reset -s
# Then, finally, try and boot in SB mode:
virsh start focal; virsh console focal
I tested out the new shim-signed (1.41+15+ 1552672080. a4a1fbe- 0ubuntu1) on arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually running commands in the GRUB shell to try and get more info, and here's the error I get:
grub> insmod gzio /boot/vmlinuz- 5.4.0-13- generic
grub> linux (hd0,gpt1)
grub> boot
error: cannot load image.
This is better then it was previously - shim used to crash before starting GRUB (bug 1811901 and bug 1811722). But obviously there are still issues somewhere. Prior to this shim binary being signed, I believe I had tested the unsigned binary in a VM using a custom signing certificate. I think I still have that VM around, so I maybe able to use it for comparison.
= My setup =
I tried to make this test simulate a real setup as much as possible. Here's roughly what I did:
Installed an arm64 server w/ bionic ys.efi ms-libvirt -v sync release=eoan sources. list ys.efi. I scp'd this over to the focal guest, and put it in the EFI type=11, value=4e32566d- 8e9e-4f52- 81d3-5bb9715f97 27:MIIDNjCCAh4C CQCUy69JzVan2DA NBgkqhkiG9w0BAQ sFADBdMS0wKwYDV QQDDCRVYnVudHUg T1ZNRiBTZWN1cmU gQm9vdCAoUEsvS0 VLIGtleSkxLDAqB gkqhkiG9w0BCQEW HXVidW50dS1kZXZ lbEBsaXN0cy51Yn VudHUuY29tMB4XD TE4MDYyMDIxNDg0 NloXDTI4MDYxNzI xNDg0NlowXTEtMC sGA1UEAwwkVWJ1b nR1IE9WTUYgU2Vj dXJlIEJvb3QgKFB LL0tFSyBrZXkpMS wwKgYJKoZIhvcNA QkBFh11YnVudHUt ZGV2ZWxAbGlzdHM udWJ1bnR1LmNvbT CCASIwDQYJKoZIh vcNAQEBBQADggEP ADCCAQoCggEBAMu wK+l3nl5x6ebrHY VShs/7jPAKeTTMu 4MQlTbNoOZvVQhO cedjkBNaPPdd63T BxYFAnJhUBLl9hW /GB5Fn9itT0yh5G 64XCBafy3rJLF8L 99VDUYEuvB+ a3boYATCToVnODb 8h0ImORBF8sgKZm 65CJlgQ93YGZbjL ePnuawhU2EVH2HF yLZEWjd3JPxstlz Gj+JiwvETdFX/ fHbnrW+ fLCLEnLLZ/ YPo6We0mtVTEqHW m6G5WUIbpzPzOOG piCKHdI+ VFsX7w1TBdMhCqn xcpLn7NRXEEgw+ OQ5gnOLR9kTKI+ MRkux9pDGZ5v9VM cPZi2iZTHRd9bri IGOL/fo0CAwEAAT ANBgkqhkiG9w0BA QsFAAOCAQEAGLAt Us7fnf5oKU7E7+ woUrHP03WXAwhTN I9eTs7YLPgwC2qG AGkzdUZUbzc4zS4 SaItITlYYeWfZ9P vPhPGyIZOeuBMoU eBknsC2daRVX11a AcgOnQhxMD0WjSR G5nQ5rXRZ/ NwYvctJR81l41kD ToNqjBIjJ3FThzz 8hHyMv/ DCh3ch/ X2Hj7ib+ 1IPfoHFk+ mD/6e+y46wHWS5u 0Bol9w4VBMwa3FY niFgKrAmnoiuo2b r5fBbgH/ 7326lJ7Qb/ H4mBLKz/ c3iw4PF+ KQxspc04tJdvQ+ pDEtTUiXVE0zcBi p2EJgPVK0szO5H6 gtXbfyoTqDr1DKa D4x9JD3yKQ= ='/> ys.efi
# need a new QEMU for EnrollDefaultKe
sudo apt-add-repository cloud-archive:train
sudo apt update
sudo apt install uvtool
sudo gpasswd -a ubuntu libvirt
# log out/back in
# no focal images yet
uvt-simplestrea
uvt-kvm create focal arch=arm64 release=eoan
uvt-kvm wait focal
uvt-kvm ssh focal
guest> sudo sed -i 's/eoan/focal/' /etc/apt/
guest> # Also enabled focal-proposed to get latest shim-signed
guest> sudo apt update
guest> sudo apt dist-upgrade
guest> sudo apt install shim-signed
guest> sudo grub-install
# On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of
# EnrollDefaultKe
# system partition
guest> sudo poweroff
virsh edit focal
# Add the following to inject the Pk/KEK keys:
# <qemu:commandline>
# <qemu:arg value='-smbios'/>
# <qemu:arg value='
# </qemu:commandline>
#
virsh start focal; virsh console focal
# Interrupt focal boot, drop to an EFI shell, then ran the following
# which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
Shell> fs0:
FS0:\> EnrollDefaultKe
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
FS0:\> reset -s
# Then, finally, try and boot in SB mode:
virsh start focal; virsh console focal