Merely booting Ubuntu 24.04 beta live CD breaks BitLocker & booting anything using Shim
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
secureboot-db (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
shim-signed (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On my ASUS Transformer Mini T103HAF, it seems like the dbx in Ubuntu 24.04 is too big or something, it breaks TPM's PCR7 measurement. And since secureboot-
Step to reproduce:
1. Boot into pre-installed Windows installation. Run "msinfo32.exe" as administrator, go to "System Summary", and verify that "PCR7 Configuration" is shown as "Bound".
2. Before proceed further, make sure that you have BitLocker recovery key available (or have it suspended). I have one backed up in Microsoft Account [1], or I think you can also open a terminal as administrator and run `manage-bde -protectors -get "C:"`.
3. Restart the machine into USB flashed with Ubuntu 24.04 live CD. You don't have to finish setting up language, keyboard layout etc.; you can restart the system as soon as a GUI appear. By that point, "secureboot-
4. Boot back to Windows. At this point, Windows will fail to boot asking for BitLocker recovery key. Input the key you have from step 2. After that, the system will reboot itself again.
5. Run "msinfo32.exe" as administrator again. Go to "System Summary", and notice that "PCR7 Configuration" is now shown as "Binding not possible".
6. Restart into the live USB again. This time, it won't boot, failing with:
```
Could not create MokListRT: Volume full
Could not create MokListXRT: Volume full
Could not create SbatlevelRT: Volume full
Could not create MokListTrustedRT: Volume full
Something has gone seriously wrong: import_mok_state() failed : Volume Full
```
And shortly after that, the machine turns off.
[1]: https:/
---
Now, to verify that dbx is indeed the source of the problem, I did the following:
1. Reboot the system to the UEFI settings, go to Security > Secure Boot > Key Management, select Forbidden Signature > Set new key > Yes (restore to factory).
2. Reboot to Windows again. It will probably ask for BitLocker recovery key again. But once booted, run "msinfo32.exe" as administrator, go to "System Summary". "PCR7 Configuration" is now shown as "Bound" again.
3. Reboot into live USB again. This time it will boot. For debugging purpose, go to terminal and run `sudo mokutil --set-verbosity true`. Reboot to live USB.
4. Shim will now prints verbose message. Because I can't screencapture the boot process, I can't really transcribe the whole log to text (and my photo is of low quality). However, there are repeating lines along the line of (by now I'm using another Shim binary from Fedora 39 boot USB):
```
mok.c:798:
Could not create MokListXRT: Volume Full
mok.c:926:
```
Or:
```
mok.c:762:
Could not create SbatLevelRT: Volume Full
mok.c:926:
```
---
I think there might be 2 problems that has to both be solved:
1. The dbx update causes breakage to TPM measured boot on this particular firmware.
2. Shim considers failure in TPM measured boot to be fatal and refuses to boot at all (as oppose to Windows which will still at least boot even if it will have to ask for recovery key later on).
---
Information about my tablet:
Make & model: ASUS Transformer Mini T103HAF
Firmware (BIOS) make & version: American Megatrends Inc. T103HAF.309, 22/4/2019
TPM manufacturer: INTC
TPM manufacturer version: 2.0.5.3015
TPM specification version: 2.0
> 1. The dbx update causes breakage to TPM measured boot on this particular firmware.
The dbx update causes the measurements in PCR 7 to change yes. This is not breakage and is required and expected.
BitLocker asking for a recovery key in this scenario is normal behavior. Entering the recovery key once should resolve that issue.
The reason you clearing the dbx "resolves" this is because it resets to the outdated, insecure configuration the bitlocker key was sealed against.
> 2. Shim considers failure in TPM measured boot to be fatal and refuses to boot at all (as oppose to Windows which will still at least boot even if it will have to ask for recovery key later on).
What shim considers fatal here is the failure to write required UEFI variables to the system's variable store. These are used by shim to communicate important information to the kernel, hence this failure has to be fatal.
This stems from the firmware's failure to perform UEFI variable garbage collection, leading to the variable store filling up and shim not being able to install the required variables.
If the vendor in question has provided newer firmware updates, try applying that, otherwise there is little we can do here.