Ubuntu
sbsigntool package

  1. Bug #1274749
  2. Activity log

Activity log for bug #1274749

Date Who What changed Old value New value Message
2014-01-30 23:06:17 Jamie Strandboge bug added bug
2014-01-30 23:06:39 Jamie Strandboge summary sbkeysync fails with 'Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting' sbkeysync fails with 'Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting' with 14.04 ovmf
2014-01-30 23:08:32 Jamie Strandboge description Due to bug #1274376 I installed Ubuntu 13.10 in a VM with ovmf 0~20121205.edae8d2d-1, shutdown the vm and then upgraded ovmf to 0~20131029.2f34e065-1 since I found that after repeated reboots when using 0~20121205.edae8d2d-1 ovmf had trouble finding the disk (I don't know why-- I couldn't find a simple reproducer). So, when using ovmf 0~20131029.2f34e065-1 if I try to install secure boot keys as per the instructions in https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key, sbkeysync fails. Eg: $ sbkeysync --verbose --pk --dry-run Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting I used the sb-setup command as per https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key: Creating keystore... mkdir '/etc/secureboot/keys' mkdir '/etc/secureboot/keys/PK' mkdir '/etc/secureboot/keys/KEK' mkdir '/etc/secureboot/keys/db' mkdir '/etc/secureboot/keys/dbx' done Creating keys... done Generating key updates for PK... using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91 creating EFI_SIGNATURE_LIST (test-cert.der.siglist)... creating signed update (test-cert.der.siglist.PK.signed)... done Generating key updates for KEK... using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91 creating EFI_SIGNATURE_LIST (test-cert.der.siglist)... creating signed update (test-cert.der.siglist.KEK.signed)... done Generating key updates for KEK... using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4 creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)... creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)... done Generating key updates for db... using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476 creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)... creating signed update (microsoft-pca-public.der.siglist.db.signed)... done Generating key updates for db... using GUID=97ff929d-201f-44ef-8514-385958672418 creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)... creating signed update (microsoft-uefica-public.der.siglist.db.signed)... done Initializing keystore... adding to /etc/secureboot/keys/PK/ adding to /etc/secureboot/keys/KEK/ adding to /etc/secureboot/keys/db/ done Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting Commit to keystore? (y|N) n $ Due to bug #1274376 I installed Ubuntu 13.10 in a VM with ovmf 0~20121205.edae8d2d-1, shutdown the vm and then upgraded ovmf to 0~20131029.2f34e065-1 since I found that after repeated reboots when using 0~20121205.edae8d2d-1 ovmf had trouble finding the disk (I don't know why-- I couldn't find a simple reproducer). So, when using ovmf 0~20131029.2f34e065-1 if I try to install secure boot keys as per the instructions in https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key, sbkeysync fails. Eg: $ sbkeysync --verbose --pk --dry-run Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting I used the sb-setup command as per https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key: $ cd /tmp $ ./sb-setup enroll microsoft Creating keystore...   mkdir '/etc/secureboot/keys'   mkdir '/etc/secureboot/keys/PK'   mkdir '/etc/secureboot/keys/KEK'   mkdir '/etc/secureboot/keys/db'   mkdir '/etc/secureboot/keys/dbx' done Creating keys... done Generating key updates for PK...   using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91   creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...   creating signed update (test-cert.der.siglist.PK.signed)... done Generating key updates for KEK...   using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91   creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...   creating signed update (test-cert.der.siglist.KEK.signed)... done Generating key updates for KEK...   using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4   creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)...   creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)... done Generating key updates for db...   using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476   creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)...   creating signed update (microsoft-pca-public.der.siglist.db.signed)... done Generating key updates for db...   using GUID=97ff929d-201f-44ef-8514-385958672418   creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)...   creating signed update (microsoft-uefica-public.der.siglist.db.signed)... done Initializing keystore...   adding to /etc/secureboot/keys/PK/   adding to /etc/secureboot/keys/KEK/   adding to /etc/secureboot/keys/db/ done Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting Commit to keystore? (y|N) n $
2023-11-30 20:57:55 Dimitri John Ledkov sbsigntool (Ubuntu): status New Fix Released