Merely booting Ubuntu 24.04 beta live CD breaks BitLocker & booting anything using Shim

> 1. The dbx update causes breakage to TPM measured boot on this particular firmware.

The dbx update causes the measurements in PCR 7 to change yes. This is not breakage and is required and expected.
BitLocker asking for a recovery key in this scenario is normal behavior. Entering the recovery key once should resolve that issue.
The reason you clearing the dbx "resolves" this is because it resets to the outdated, insecure configuration the bitlocker key was sealed against.

> 2. Shim considers failure in TPM measured boot to be fatal and refuses to boot at all (as oppose to Windows which will still at least boot even if it will have to ask for recovery key later on).

What shim considers fatal here is the failure to write required UEFI variables to the system's variable store. These are used by shim to communicate important information to the kernel, hence this failure has to be fatal.
This stems from the firmware's failure to perform UEFI variable garbage collection, leading to the variable store filling up and shim not being able to install the required variables.
If the vendor in question has provided newer firmware updates, try applying that, otherwise there is little we can do here.

The only workaround for a system with such broken firmware (in absence of a firmware update that resolves the issue) is to disable UEFI Secure Boot entirely.

Perhaps we could remove secureboot-db from the ISO, so that only installing Ubuntu causes the varstore filling up on such systems, but Secure Boot isn't easily supportable on buggy firmware unfortunately.

> The dbx update causes the measurements in PCR 7 to change yes. This is not breakage and is required and expected.
> BitLocker asking for a recovery key in this scenario is normal behavior. Entering the recovery key once should resolve that issue.

Hmm Ok. Indeed the fact that updating dbx causes PCR7 measurement to change is expected. But it should not cause the measurement to "fail".

See, with subsequent testing, in the state that dbx is populated and PCR7 is broken, now my Windows installation asks for recovery key on _every_ boot. And as I mentioned, now msinfo32.exe complains that it's not possible to form a new PCR7 binding. Isn't BitLocker supposeed to re-seal the key after the recovery key is entered?

> What shim considers fatal here is the failure to write required UEFI variables to the system's variable store. These are used by shim to communicate important information to the kernel, hence this failure has to be fatal.

Not exactly. One detail I forgot to mention is that, when booted to Ubuntu, there's _plenty_ of space available in `efivars` filesystem, even after secureboot-db.service has done its job.

```
$ df -h /sys/firmware/efi/efivars
Filesystem Size Used Avail Use% Mounted on
efivarfs 128K 67K 57K 55% /sys/firmware/efi/efivars
```

So it's implausible that the failure actually comes from UEFI variables. And according to one of verbose Shim boot, it doesn't. Rather, the failure actually comes from `tpm_log_event()` and `tpm_measure_variable()`, as mentioned. (Side Note: This is one of the reason debugging this issue took me so long).

Please see my attempt to use a phone camera to capture a verbose boot log from Shim [1]. Unfortunately the quality isn't so good, but you should be able to make out that the failure doesn't come from `SetVariable()`.

Oh, and cherry-on-top: I forgot to mention that disable Secure Boot does NOT fix booting with Shim. The boot I took [1] from, I have Secure Boot disabled, yet the boot still fails. The only way to fix booting with Shim is resetting the dbx.

[1]: https://ibb.co/album/RzXY28

I am still pretty sure it is the variable storage failure mode we are seeing in this firmware. I also personally own an ASUS device with firmware from 2019 and I managed to reach the same failure mode on it even when using Mantic.

Also let me try to explain why errors crop up in other places too:

You can see multiple failures besides 'tpm_measure_variable()' including:
- 'Create SbatLevelRT : Volume Full',
- 'Create MokListRT: Volume Full', and
- 'import_mok_state() failed Volume Full' on the last image.

These all internally call `SetVariable()`.

The reason I suspect 'tpm_measure_variable()' also fails is because presumably it tries to internally write to the varstore and then propagates this error.

Also keep in mind the used space and percentage indicator provided by the kernel for efivarfs might very well not be accurate at all.

If disabling Secure Boot really isn't enough, you can try removing shim-signed and then installing just GRUB on this device.

@peat-new

After some discussion about the upstream bug, I'm re-opening this as 'New'.

It seems that 'Volume Full' here indeed only refers to the event log filling up and not the entire variable store.

The shim debug log was confusing me into thinking it was the full variable store.

This could possible be fixed by allowing shim to drive forward in the face of errors, because as mentioned the PCRs are indeed extended just not the event log.

Could you possibly verify this theory by disabling TPM support in the firmware and seeing if the device boots via shim with that?

Unfortunately, I can't seem to find a setting to disable TPM in my device's firmware settings, so I can't test that.

I have proposed a patch for this now: https://github.com/rhboot/shim/pull/657