After enabling Secure Boot - unable to boot Ubuntu

Bug #1821630 reported by BoQsc
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
New
Undecided
Unassigned

Bug Description

The section in the documentation of Ubuntu wrote, that if I have problems while booting with secure boot enabled, I should file a bug report: https://help.ubuntu.com/community/UEFI#SecureBoot

ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: shim (not installed)
ProcVersionSignature: Ubuntu 5.0.0-8.9-generic 5.0.1
Uname: Linux 5.0.0-8-generic x86_64
ApportVersion: 2.20.10-0ubuntu23
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Mar 25 21:11:17 2019
InstallationDate: Installed on 2018-10-26 (150 days ago)
InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
SourcePackage: shim
UpgradeStatus: No upgrade log present (probably fresh install)
---
ProblemType: Bug
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.10-0ubuntu23
Architecture: amd64
BootEFIContents:
 BOOTX64.CSV
 grub.cfg
 grubx64.efi
 mmx64.efi
 shimx64.efi
CurrentDesktop: ubuntu:GNOME
Dependencies:

DistroRelease: Ubuntu 19.04
EFITables:
 kov. 27 09:40:09 SATELLITE-L855 kernel: efi: EFI v2.31 by INSYDE Corp.
 kov. 27 09:40:09 SATELLITE-L855 kernel: efi: ACPI=0xaf7fe000 ACPI 2.0=0xaf7fe014 SMBIOS=0xaf6bef98
 kov. 27 09:40:09 SATELLITE-L855 kernel: secureboot: Secure boot could not be determined (mode 0)
InstallationDate: Installed on 2018-10-26 (151 days ago)
InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
Package: shim 15+1533136590.3beb971-0ubuntu1
PackageArchitecture: amd64
ProcVersionSignature: Ubuntu 5.0.0-8.9-generic 5.0.1
SecureBoot: 6 0 0 0 0
Tags: disco wayland-session
Uname: Linux 5.0.0-8-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True

Revision history for this message
BoQsc (boqsc) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

Sure, but you need to give detail about exactly what you did, and what didn't work as expected.

According to the information in your bug report, you don't even have the shim package installed currently.

Changed in shim (Ubuntu):
status: New → Incomplete
Revision history for this message
BoQsc (boqsc) wrote :

Well, my problem is that when I enable Secure Boot in my Laptop's UEFI, I get this message popped out:

"Boot failure : a proper digital signature was not found.
One of the files on the selected boot device was rejected by the Secure Boot feature."

Is there anything you can help me with, or should I just disable Secure Boot and "mind my business"? :D

Revision history for this message
BoQsc (boqsc) wrote :

Ps. that message stops computer from booting into Ubuntu. So, I'm forced to disable Secure Boot, if I want to use linux operating systems.

Revision history for this message
Steve Langasek (vorlon) wrote :

How did you install this system? If you were using the Ubuntu Desktop 18.10 installer, your system should have had both UEFI and BIOS bootloaders installed for you automatically, and using shim, so you should not get verification errors from the firmware. But your bug report shows that you don't have the shim package installed.

Revision history for this message
BoQsc (boqsc) wrote :

I installed it from USB flash drive that contained Ubuntu Desktop 18.10, quite a while ago: 2018.10.17
I did dual boot installation: Windows 10 were preinstalled, and so I installed Ubuntu.

And since then, I just did updates and upgrades. I this distribution a long time, so I might have deleted it somewhat while removing some other software, as I'm not that experienced.

Yes, I do not have Shim installed, if Shim had to be included back then, then that is strange or I just did something since first installation and unable to remember.

Should I just Install Shim via package manager or do a a new clean Ubuntu 19.04 daily build install?

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1821630] Re: After enabling Secure Boot - unable to boot Ubuntu

On Tue, Mar 26, 2019 at 05:14:17PM -0000, BoQsc wrote:

> I installed it from USB flash drive that contained Ubuntu Desktop 18.10,
> quite a while ago: 2018.10.17 I did dual boot installation: Windows 10
> were preinstalled, and so I installed Ubuntu.

> And since then, I just did updates and upgrades. I this distribution a
> long time, so I might have deleted it somewhat while removing some other
> software, as I'm not that experienced.

I would suggest checking /var/log/apt/history.log* to see if there is a
record of removing the shim package, and what other changes were made around
the same time that might explain this.

> Should I just Install Shim via package manager

The package you will want to install is shim-signed.

> or do a a new clean Ubuntu 19.04 daily build install?

Daily builds are not recommended for other than development.

Revision history for this message
BoQsc (boqsc) wrote :

I extracted all the /var/log/apt/history.log.*.gz,
and grep'ed through them, these are the only occurences it found:

vaidas@SATELLITE-L855:/var/log/apt$ grep -H shim ./*
./history.log.5:Commandline: apt-get --no-upgrade -o Acquire::gpgv::Options::=--ignore-time-conflict -y install shim-signed
./history.log.5:Install: shim-signed:amd64 (1.38+15+1533136590.3beb971-0ubuntu1), shim:amd64 (15+1533136590.3beb971-0ubuntu1, automatic)

It looks like shim was installed and no records of its uninstallation were found

Revision history for this message
BoQsc (boqsc) wrote :

Right now, I installed it myself.

vaidas@SATELLITE-L855:~$ sudo apt-get install shim-signed
[sudo] password for vaidas:
Reading package lists... Done
Building dependency tree
Reading state information... Done
shim-signed is already the newest version (1.39+15+1533136590.3beb971-0ubuntu1).

Revision history for this message
BoQsc (boqsc) wrote :

I restarted the laptop, enabled Secure Boot option in the UEFI.

The same error popped out and was unable to boot into Ubuntu until I disable Secure Boot:

"Boot failure : a proper digital signature was not found.
One of the files on the selected boot device was rejected by the Secure Boot feature."

Revision history for this message
BoQsc (boqsc) wrote :

Installing shim-signed didn't help much.
Maybe I'll just wait for the standard Ubuntu 19.04 which will happen in the next month?

Revision history for this message
Steve Langasek (vorlon) wrote :

Please run 'apport-collect 1821630' from the affected system.

Revision history for this message
BoQsc (boqsc) wrote : EFIBootMgr.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
BoQsc (boqsc) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
BoQsc (boqsc) wrote : ProcEnviron.txt

apport information

Revision history for this message
Steve Langasek (vorlon) wrote :

Ok, and your efibootmgr output shows:

BootCurrent: 0001
[...]
Boot0001* ubuntu HD(2,GPT,97bd7694-b600-487f-a866-7694c80b6ead,0xfa000,0x32000)/File(\EFI\ubuntu\shimx64.efi)

So in fact, the shim package is correctly installed, is correctly installed to the ESP, and is correctly registered with the firmware.

So it's currently unclear to me why this system is failing to boot when SecureBoot is enabled. And I don't think reinstalling 19.04 will help you any.

Changed in shim (Ubuntu):
status: Incomplete → New
Revision history for this message
BoQsc (boqsc) wrote :

The strange behaviour after installing: sudo apt-get install shim-signed
Is while Grub2 menu load up, the screen becomes completely black, however, Grub2 itself is fuctional to launch an operating system such as Ubuntu and responds to keyboard.

Revision history for this message
Steve Langasek (vorlon) wrote :

You should also have the mokutil command installed. Please also run: 'mokutil --export --db' and attach the DB*.der files to this report.

Changed in shim (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for shim (Ubuntu) because there has been no activity for 60 days.]

Changed in shim (Ubuntu):
status: Incomplete → Expired
Revision history for this message
BoQsc (boqsc) wrote :
Revision history for this message
BoQsc (boqsc) wrote :
Revision history for this message
BoQsc (boqsc) wrote :
Changed in shim (Ubuntu):
status: Expired → New
Revision history for this message
Steve Langasek (vorlon) wrote :

Ok. It's interesting to see that you have two other vendor keys in your DB:

        Issuer: CN = Inventec BU2
        Validity
            Not Before: Jun 14 16:00:00 2012 GMT
            Not After : Jun 14 16:00:00 2022 GMT
        Subject: CN = Inventec BU2
[...]

        Issuer: C = JP, ST = Tokyo, L = Ome, O = Toshiba Corporation, CN = Toshiba Corporation Utility CA 2012
        Validity
            Not Before: Aug 10 06:15:36 2012 GMT
            Not After : Aug 10 06:15:35 2027 GMT
        Subject: C = JP, ST = Tokyo, L = Ome, O = Toshiba Corporation, CN = Toshiba Corporation Utility CA 2012

However, in addition to these you also have the standard expected Microsoft CA:

        Issuer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Oct 19 18:41:42 2011 GMT
            Not After : Oct 19 18:51:42 2026 GMT
        Subject: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Windows Production PCA 2011

So I'm afraid this still doesn't give me any clue as to why your system won't boot Ubuntu under SecureBoot.

What is the output of 'mokutil --dbx' on this system?

Revision history for this message
BoQsc (boqsc) wrote :
Download full text (5.3 KiB)

vaidas@vaidas-SATELLITE-L855:~/Desktop$ mokutil --dbx
[key 1]
  [SHA-256]
  0000000000000000000000000000000000000000000000000000000000000000

[key 2]
  [SHA-256]
  80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
  f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
  c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
  363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76
  1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
  e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5
  c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
  58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
  5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea

[key 3]
  [SHA-256]
  d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
  d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
  29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
  90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c

[key 4]
  [SHA-256]
  075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238
  07e6c6a858646fb1efc67903fe28b116011f2367fe92e6be2b36999eff39d09e
  09df5f4e511208ec78b96d12d08125fdb603868de39f6f72927852599b659c26
  0bbb4392daac7ab89b30a4ac657531b97bfaab04f90b0dafe5f9b6eb90a06374
  0c189339762df336ab3dd006a463df715a39cfb0f492465c600e6c6bd7bd898c
  0d0dbeca6f29eca06f331a7d72e4884b12097fb348983a2a14a0d73f4f10140f
  0dc9f3fb99962148c3ca833632758d3ed4fc8d0b0007b95b31e6528f2acd5bfc
  106faceacfecfd4e303b74f480a08098e2d0802b936f8ec774ce21f31686689c
  174e3a0b5b43c6a607bbd3404f05341e3dcf396267ce94f8b50e2e23a9da920c
  18333429ff0562ed9f97033e1148dceee52dbe2e496d5410b5cfd6c864d2d10f
  2b99cf26422e92fe365fbf4bc30d27086c9ee14b7a6fff44fb2f6b9001699939
  2bbf2ca7b8f1d91f27ee52b6fb2a5dd049b85a2b9b529c5d6662068104b055f8
  2c73d93325ba6dcbe589d4a4c63c5b935559ef92fbf050ed50c4e2085206f17d
  2e70916786a6f773511fa7181fab0f1d70b557c6322ea923b2a8d3b92b51af7d
  306628fa5477305728ba4a467de7d0387a54f569d3769fce5e75ec89d28d1593
  3608edbaf5ad0f41a414a1777abf2faf5e670334675ec3995e6935829e0caad2
  3841d221368d1583d75c0a02e62160394d6c4e0a6760b6f607b90362bc855b02
  3fce9b9fdf3ef09d5452b0f95ee481c2b7f06d743a737971558e70136ace3e73
  4397daca839e7f63077cb50c92df43bc2d2fb2a8f59f26fc7a0e4bd4d9751692
  47cc086127e2069a86e03a6bef2cd410f8c55a6d6bdb362168c31b2ce32a5adf
  518831fe7382b514d03e15c621228b8ab65479bd0cbfa3c5c1d0f48d9c306135
  5ae949ea8855eb93e439dbc65bda2e42852c2fdf6789fa146736e3c3410f2b5c
  6b1d138078e4418aa68deb7bb35e066092cf479eeb8ce4cd12e7d072ccb42f66
  6c8854478dd559e29351b826c06cb8bfef2b94ad3538358772d193f82ed1ca11
  6f1428ff71c9db0ed5af1f2e7bbfcbab647cc265ddf5b293cdb626f50a3a785e
  71f2906fd222497e54a34662ab2497fcc81020770ff51368e9e3d9bfcbfd6375
  726b3eb654046a30f3f83d9b96ce03f670e9a806d1708a0371e62dc49d2c23c1
  72e0bd1867cf5d9d56ab158adf3bddbc82bf32a8d8aa1d8c5e2f6df29428d6d8
  7827af99362cfaf0717dade4b1bfe0438ad171c15addc248b75bf8caa44bb2c5
  81a8b965bb84d3876b9429a95481cc955318cfaa1412d808c8a33bfd33fff0e4
  82db3bceb4f60843ce9d97c3d187cd9b5941cd3de8100e586f2bda5637575f67
  895a9785f617ca1d7ed44fc1a1470b71f3f1223862d9ff...

Read more...

Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks, that looks like the standard set of Microsoft-issued revocations, with two differences:

 - listing a revocation of the rather unlikely hash of 0000000000000000000000000000000000000000000000000000000000000000
 - the revocations are listed as not having been issued all by the same key

I don't know what that all means, but it doesn't look like this explains the failure to boot Ubuntu's shim.

Revision history for this message
BoQsc (boqsc) wrote :

Tested this issue once more by enabling secure boot in the BIOS, and booting into Ubuntu 19.04 through GRUB2, no success as previously.

"Boot failure : a proper digital signature was not found.
One of the files on the selected boot device was rejected by the Secure Boot feature."

I believe that only Windows operating systems and their bootloaders have the right signature as they booted previously with secure boot enabled - before installing Ubuntu. (Some 9-10 months ago)

Does Ubuntu install these digital signatures required by Secure boot after its installation? I think Ubuntu probably did not install them, as it haven't found a way to do so, due to unrecognised/unusual "Secure Boot System". But I have no idea how all this Secure Boot works, these are just guesses.

Or Maybe the digital signature of Ubuntu is corrupted due to unsuccessful entry insertion: (If that even happened)

[key 1]
  [SHA-256]
  0000000000000000000000000000000000000000000000000000000000000000

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.