Ubuntu
shim-signed package

shim-signed 15.4-0ubuntu7 fails on Lenovo T480 with Secure boot

Bug #1939306 reported by Adrian on 2021-08-09

18

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	shim-signed (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

As in the summary, the booting process using the latest shim-signed fails on Lenovo T480 with the Secure boot enabled: it ends with the black screen. When Secure boot is disabled, the booting process completes successfully.

I collected some logs with `sudo mokutil --set-verbosity true` (see attachment).

I confirm that `grubx64.efi` is where expected.

The workaround is to downgrade the package version:
sudo apt install shim-signed=1.40.3+15+1533136590.3beb971-0ubuntu1 shim=15+1533136590.3beb971-0ubuntu1

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: shim-signed 1.40.6+15.4-0ubuntu7
ProcVersionSignature: Ubuntu 5.4.0-80.90-generic 5.4.124
Uname: Linux 5.4.0-80-generic x86_64
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] Nie ma takiego pliku ani katalogu: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.11-0ubuntu27.18
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: GNOME
Date: Mon Aug 9 16:05:10 2021
EFITables:
sie 09 16:04:39 adrian-laptop kernel: efi: EFI v2.50 by Lenovo
sie 09 16:04:39 adrian-laptop kernel: efi: TPMFinalLog=0x6b58a000 SMBIOS=0x6a62c000 SMBIOS 3.0=0x6a629000 ACPI=0x6b5fe000 ACPI 2.0=0x6b5fe014 ESRT=0x6a4b6000 MEMATTR=0x64799018 TPMEventLog=0x5e5ea018
sie 09 16:04:39 adrian-laptop kernel: secureboot: Secure boot enabled
sie 09 16:04:39 adrian-laptop kernel: esrt: Reserving ESRT space from 0x000000006a4b6000 to 0x000000006a4b6100.
sie 09 16:04:39 adrian-laptop kernel: secureboot: Secure boot enabled
InstallationDate: Installed on 2018-04-05 (1222 days ago)
InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228)
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
UpgradeStatus: Upgraded to focal on 2020-10-28 (284 days ago)

Tags:

Revision history for this message

Adrian (adrianf0) wrote on 2021-08-09:

#1

Log from the mok. Edit (4.2 MiB, image/jpeg)
BootEFIContents.txt Edit (70 bytes, text/plain; charset="utf-8")
Dependencies.txt Edit (2.2 KiB, text/plain; charset="utf-8")
EFIBootMgr.txt Edit (2.0 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (325 bytes, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-08-09:

#2

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shim-signed (Ubuntu):
status:	New → Confirmed

Revision history for this message

Hannes Erven (hannes-erven) wrote on 2021-08-09:

#3

Experienced the same issue on a Thinkpad X1 Gen7, it stops at a blank screen. While experimenting even disabling SecureBoot was not a reliable workaround. With "mokutil --set-verbosity true", the stack ends at the same line as demonstrated by the OP in https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1939306/+attachment/5516850/+files/20210809_132455.jpg .

Problem appeared after upgrade vom shim-signed:amd64 1.47+15.4-0ubuntu2 to 1.50+15.4-0ubuntu7 and was solved by downgrading to 1.46+15.4-0ubuntu1 (the 1.47 version is currently not available, Launchpad lists only 1.50 and 1.46).

Revision history for this message

konsole (ipsecsa) wrote on 2021-08-10:

#4

Same issue on a Lenovo X130e laptop after Ubuntu updates on 08/08/21. Early EFI system that doesn't support secure boot. Downgrading shim-signed to 1.40.3+15+1533136590.3beb971-0ubuntu1 and shim to 15+1533136590.3beb971-0ubuntu1 allows the laptop to boot. Cmon guys, making a system unbootable is critical sheesh! thanks adrianf0 and hannes-erven for reporting.

Revision history for this message

Valtteri Vuorikoski (vuorik) wrote on 2021-08-21:

#5

Not clear if it's the same issue, but on a Thinkpad T14s, new shim fails to boot anything except the Canonical-signed grub. Both hash and key MOKs seem to be ignored (blue screeen with Security Violation 0x1A for signed executables). Downgrading to the version of shim-signed specified in the initial report makes hash and key MOKs work again. shim verbose reporting was not checked.

Steve Langasek (vorlon) on 2021-08-23

summary:	- latest shim-signed fails on Lenovo T480 with Secure boot + shim-signed 15.4-0ubuntu9 fails on Lenovo T480 with Secure boot
summary:	- shim-signed 15.4-0ubuntu9 fails on Lenovo T480 with Secure boot + shim-signed 15.4-0ubuntu7 fails on Lenovo T480 with Secure boot

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-08-23:

#6

There is a new version of shim published; please check whether shim-signed 1.51+15.4-0ubuntu9 addresses this issue.

Revision history for this message

Adrian (adrianf0) wrote on 2021-08-23:

#7

Yes, the latest version 1.40.7+15.4-0ubuntu9 solves the problem.

Changed in shim-signed (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.