Ubuntu
shim-signed package

  1. Bug #2061551
  2. Comment #4

Comment 4 for bug 2061551

Revision history for this message
Ratchanan Srirattanamet (peat-new) wrote (last edit ):

> The dbx update causes the measurements in PCR 7 to change yes. This is not breakage and is required and expected.
> BitLocker asking for a recovery key in this scenario is normal behavior. Entering the recovery key once should resolve that issue.

Hmm Ok. Indeed the fact that updating dbx causes PCR7 measurement to change is expected. But it should not cause the measurement to "fail".

See, with subsequent testing, in the state that dbx is populated and PCR7 is broken, now my Windows installation asks for recovery key on _every_ boot. And as I mentioned, now msinfo32.exe complains that it's not possible to form a new PCR7 binding. Isn't BitLocker supposeed to re-seal the key after the recovery key is entered?

> What shim considers fatal here is the failure to write required UEFI variables to the system's variable store. These are used by shim to communicate important information to the kernel, hence this failure has to be fatal.

Not exactly. One detail I forgot to mention is that, when booted to Ubuntu, there's _plenty_ of space available in `efivars` filesystem, even after secureboot-db.service has done its job.

```
$ df -h /sys/firmware/efi/efivars
Filesystem Size Used Avail Use% Mounted on
efivarfs 128K 67K 57K 55% /sys/firmware/efi/efivars
```

So it's implausible that the failure actually comes from UEFI variables. And according to one of verbose Shim boot, it doesn't. Rather, the failure actually comes from `tpm_log_event()` and `tpm_measure_variable()`, as mentioned. (Side Note: This is one of the reason debugging this issue took me so long).

Please see my attempt to use a phone camera to capture a verbose boot log from Shim [1]. Unfortunately the quality isn't so good, but you should be able to make out that the failure doesn't come from `SetVariable()`.

Oh, and cherry-on-top: I forgot to mention that disable Secure Boot does NOT fix booting with Shim. The boot I took [1] from, I have Secure Boot disabled, yet the boot still fails. The only way to fix booting with Shim is resetting the dbx.

[1]: https://ibb.co/album/RzXY28