shim: set second stage not work

Bug #1581299 reported by Ivan Hu on 2016-05-13
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
High
Mathieu Trudel-Lapierre
Nominated for Xenial by Anthony Wong
shim-signed (Ubuntu)
High
Mathieu Trudel-Lapierre
Nominated for Xenial by Anthony Wong
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]
Some firmwares may fail to populate LoadOptions in EFI in a way that shim understands, including only the extra options rather than the full BootEntry.

[Test case]
Attempt to boot a system on a BootEntry that requires extra options, such as when running firmware updates via fwupdate.

[Regression Potential]
The information passed by some firmwares may look as though it is a simple UCS-2 string although it contain extra information, and thus cause a failure to boot due to unrecognized LoadOptions when shim attempts to boot. The default boot process does not include LoadOptions at all, but this may adversely affect fwupdate or running MokManager.

----

Using the applications such as fwupdate and efibootmgr to set the device path for the second stage path is not working on some platforms.
The second stage set is not working after commit
3322257e611e2000f79726d295bb4845bbe449e7 on https://github.com/rhinstaller/shim
for those which load option only have one string.

This is due to some versions of BDS, on loadoption we only get:
00000000 5c 00 66 00 77 00 75 00 70 00 78 00 36 00 34 00 |\.f.w.u.p.x.6.4.|
00000010 2e 00 65 00 66 00 69 00 00 00 |..e.f.i...|
0000001a

Ivan Hu (ivan.hu) wrote :

Sent out a patch fixing the set second stage function for loadoption.

And have been accepted on https://github.com/rhinstaller/shim

Changed in shim (Ubuntu):
status: New → Fix Committed

The attachment "0001-shim-dealing-with-only-one-string-on-loadoption.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in shim (Ubuntu):
status: Fix Committed → Triaged
importance: Undecided → High
tags: added: rls-y-incoming

We don't use a shim version that currently carries this commit; why are you using a new shim? Is there another issue for which you require a patch?

Please include the full output of 'efibootmgr -v' on an affected system so we can make sure that the boot entry is correctly configured to do the firmware updates.

Changed in shim (Ubuntu):
status: Triaged → Incomplete
Ivan Hu (ivan.hu) wrote :

Here is the efibootmgr -v for your request.

BootNext: 0007
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0001,0000,0002,0003,0004
Boot0000* UEFI Internal Shell FvVol(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(7c04a583-9e3e-4f1c-ad65-e05268d0b4d1)
Boot0001* Enter Setup FvVol(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(462caa21-7614-4503-836e-8ab6f4662331)
Boot0002 Boot Device List FvVol(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(eec25bdc-67f2-4d95-b1d5-f81b2039d11d)
Boot0003* UEFI ATAPI iHAS124 E 3524665 228416501444 PciRoot(0x0)/Pci(0x1f,0x2)/Sata(2,0,0)N.....YM....R,Y.
Boot0004* UEFI ST500DM002-1BD142 Z3THAL0R PciRoot(0x0)/Pci(0x1f,0x2)/Sata(3,0,0)N.....YM....R,Y.
Boot0005* UEFI SanDisk Ultra 4C530001310121113460 PciRoot(0x0)/Pci(0x1d,0x0)/USB(0,0)/USB(4,0)N.....YM....R,Y.
Boot0006* ubuntu HD(1,GPT,cae6aec2-f305-4006-95b0-8063f692a715,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)
Boot0007* Linux-Firmware-Updater \fwupx64.efi HD(1,GPT,cae6aec2-f305-4006-95b0-8063f692a715,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)\.f.w.u.p.x.6.4...e.f.i...

actually, this patch fixed the commit 3322257e611e2000f79726d295bb4845bbe449e7 for those which load option only have one string won't work.
you can simple build a efi application, such as hello.efi, set the bootnext to it as
Boot0008* test HD(1,GPT,cae6aec2-f305-4006-95b0-8063f692a715,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)\.h.e.l.l.o...e.f.i...
then to check it the hello.efi be run on next boot. To make sure shim works properly or not.

Changed in shim (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
peter zhang (zhangfp1) wrote :

Hello Canonical friends,

May we know who can help to push Microsoft to expediate the sign process?
Two more months passed since the fix was available on May 13th in comment #1.
Thanks for your support.

Changed in shim-signed (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 0.9+1465500757.14a5905-0ubuntu1

---------------
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
    - Better handle LoadOptions. (LP: #1581299)
    - Measure state and second stage in TPM.
    - Mirror MokSBState in runtime as MokSBStateRT.
    - Fix failure to build with GCC 5. (LP: #1429978)
    - Various bug fixes and other improvements.
  * Refreshed patches.
    - Remaining patches:
      + second-stage-path
      + sbsigntool-not-pesign
  * debian/patches/unused-variable: remove unused variable size.
  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
    match objcopy's version on Ubuntu.
  * debian/copyright: update copyright for patches.

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Jul 2016 16:48:32 -0400

Changed in shim (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.20

---------------
shim-signed (1.20) yakkety; urgency=medium

  * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
    (LP: #1581299)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 08 Aug 2016 11:14:21 -0400

Changed in shim-signed (Ubuntu):
status: In Progress → Fix Released
Anthony Wong (anthonywong) wrote :

Mathieu, I think this affects Xenial too. Given that Xenial is LTS, can we fix it with SRU as well?

On Tue, Aug 09, 2016 at 04:10:51AM -0000, Anthony Wong wrote:
> Mathieu, I think this affects Xenial too. Given that Xenial is LTS, can
> we fix it with SRU as well?

Yes. We only have one active signed shim.efi binary at a time - this one
will be binary-copied back from yakkety to all supported releases.

Hello Ivan, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.21.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed

Ivan, Anthony, could you please verify that this is fixed with the updated packages in yakkety-proposed?

Thanks!

Ivan Hu (ivan.hu) wrote :

Verify the shim-signed 1.21.4 with yakkety-proposed, it could fix the second stage issue of shim.

tags: added: verification-done
removed: verification-needed
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.21.4~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
description: updated
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.21.4~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed

Ivan has already verified that shim-signed 1.21.4 is good on yakkety-proposed. Given that it's the exact same binary in other distros, we can say it's verified everywhere (the binaries are copied around, not rebuilt).

tags: added: verification-done-yakkety
tags: added: verification-done-trusty verification-done-xenial
removed: verification-needed
Ivan Hu (ivan.hu) wrote :

Verify the shim-signed 1.21.4 with xenial-proposed and trusty-proposed, they could fix the second stage issue of shim.

Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.27~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.27~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Ivan Hu (ivan.hu) wrote :

Verify the shim-signed 1.27 with yakkety-proposed and xenial-proposed, it works fine on the second stage of shim.

Steve Langasek (vorlon) on 2017-04-03
tags: added: verification-done
removed: verification-done-trusty verification-done-xenial verification-done-yakkety verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.27~16.10.1

---------------
shim-signed (1.27~16.10.1) yakkety; urgency=medium

  * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.10. (LP: #1637290)

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
    Microsoft.
  * update-secureboot-policy:
    - detect when we have no debconf prompting and error out instead of ending
      up in an infinite loop. LP: #1673817.
    - refactor to make the code easier to follow.
    - remove a confusing boolean that would always re-prompt on a request to
      --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
    - some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
    (LP: #1581299)
  * Update paths now that the shim binary has been renamed to include the
    target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
    since it's being replaced by mm$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 23 Mar 2017 16:58:44 -0400

Changed in shim-signed (Ubuntu Yakkety):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.27~16.04.1

---------------
shim-signed (1.27~16.04.1) xenial; urgency=medium

  * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.04. (LP: #1637290)

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
    Microsoft.
  * update-secureboot-policy:
    - detect when we have no debconf prompting and error out instead of ending
      up in an infinite loop. LP: #1673817.
    - refactor to make the code easier to follow.
    - remove a confusing boolean that would always re-prompt on a request to
      --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
    - some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
    (LP: #1581299)
  * Update paths now that the shim binary has been renamed to include the
    target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
    since it's being replaced by mm$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 23 Mar 2017 16:58:44 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released

An upload of shim-signed to trusty-proposed has been rejected from the upload queue for the following reason: "needs adjusted versioned dep on grub2-common; drop ref to LP: #1624096 from changelog".

Hello Ivan, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed verification-needed-trusty
removed: verification-done
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verification done for trusty: I've used shim-signed 1.32~14.04.2. The correct shim is installed and it behaves correctly with firmware updates and other BootEntries requiring extra options. I used a new bootentry to boot straight to mmx64.efi (MokManager), which worked correctly.

tags: added: verification-done-trusty
removed: verification-needed verification-needed-trusty
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers