bootia32.efi + 32bit UEFI + SecureBoot => not signed properly

Bug #1793894 reported by beta-tester on 2018-09-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Wishlist
Unassigned

Bug Description

i have a tablet/netbook with:
32bit UEFI (only),
SecureBoot enabled,
32/64bit CPU,
Windows 10 Pro (32bit).

i can't use the 64bit version of ubuntu 18.04.1 or 18.10 (daily-beta) to boot LiveDVD or LiveUSB,
because of missing bootia32.efi on the Live iso media.
and when i try to add the bootia32.efi by hand, then i get a signed certificate error at boot time from UEFI i guess.

why is the bootx64.efi signed properly for SecureBoot an 64bit UEFI,
but bootia32.efi isn't signed properly for SecureBoot an 32bit UEFI???

and why is that bootia32.efi missing at all on the Live iso?
i am not the only one, who is using that kind of tablet/netbook and
want to install ubuntu 18.x 64bit on that device.

i don't know if the package i told is the right one.
maybe another package is more correct...
e.g. shim-signed, grub-efi-ia32-signed, grub-efi-amd64-signed, ...

description: updated
tags: added: bootia32.efi
tags: added: grub-efi-ia32 secureboot uefi
description: updated
Steve Langasek (vorlon) on 2018-09-25
Changed in shim-signed (Ubuntu):
importance: Undecided → Wishlist

today i tried Fedora 29 Workstation Live (64bit).
there is a bootia32.efi that is correctly Microsoft UEFI CA signed.
with that version i can boot and use Fedora 29
on all my UEFI32 + SecureBoot enabled devices successfully.
i hope it will be fixed for Ubuntu as well soon...

sudo /usr/bin/sbverify --list BOOTIA32.EFI
warning: data remaining[839112 vs 975536]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

valdikss (valdikss1) wrote :

I can confirm that Ubuntu, Debian and OpenSuse have only X86_64 signed EFI bootloader. From what I know, only Fedora has IA32 signed bootloader.

valdikss (valdikss1) wrote :

Sorry, I was wrong: Debian now has IA32 package (not sure about ISOs though).
https://packages.debian.org/buster/grub-efi-ia32-signed

Ubuntu still has only a template, without signed binaries:
https://packages.ubuntu.com/cosmic/grub-efi-ia32-signed-template

the Debian one is only "Debian UEFI CA" signed and not "Microsoft Corporate UEFI CA" signed.
that means, as far as i know, it is only usable then you manually add that "Debian UEFI CA" certificate/key to your UEFI certificate/key store, before you are able to boot with SecureBoot enabled.

not all netbook computers are able to add certificates/key manually to do that.
i don't know at the moment, if the Debian UEFI CA has a "Microfot Corporate UEFI CA" certificate in its "certificate path"... but not at the time as i was reporting that issue. and not in the Debian Live ISO.

Debian 10 Buster now has proper signed bootloader for 64bit UEFI and 32bit UEFI.
so next step should be that ubuntu will upgrade to properly signed bootloader as well.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.