Ubuntu
shim-signed package

shim-signed 1.48+15.4-0ubuntu5 does not secure boot

Bug #1936759 reported by Jacques Williamson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
New
Undecided
Unassigned

Bug Description

shim-signed package installs with no error with apt upgrade, but then the system cannot boot afterwards with secure boot enabled. System hangs indefinitely on UEFI manufacturer logo screen (Dell in this case), not getting as far as grub. Disabling secure boot is a workaround.

Rolling back to previous shim-signed version 1.46+15.4-0ubuntu1 fixes the problem (system can once again boot with secure boot enabled).

Done this for now to allow secure boot to be enabled:
$ sudo apt install shim-signed=1.46+15.4-0ubuntu1
$ sudo apt-mark hold shim-signed

Details of system where problem is observed:
- Dell XPS 13 7390 laptop
- Intel® Core™ i7-10510U CPU / 16GB RAM
- BIOS/UEFI firmware version: v1.8.0 (latest)
- Ubuntu hirsute 21.04 64bit (Linux only, single OS, not dual booting)
- Kernel version: 5.11.0-22-generic
- GRUB: 2.04-1ubuntu45

Any questions / additional info, please ask.
---
ProblemType: Bug
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.11-0ubuntu65.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 21.04
EFIBootMgr:
 BootCurrent: 0000
 Timeout: 0 seconds
 BootOrder: 0000,0001
 Boot0000* ubuntu HD(2,GPT,cc31568c-2d13-40c3-8cfe-a0d889852837,0x800,0x32000)/File(\EFI\ubuntu\shimx64.efi)
 Boot0001* UEFI CT1000P1SSD8 1917E1FE1D9D 1 PciRoot(0x0)/Pci(0x1d,0x4)/Pci(0x0,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(2,GPT,cc31568c-2d13-40c3-8cfe-a0d889852837,0x800,0x32000)/File(\EFI\Boot\BootX64.efi)N.....YM....R,Y.
EcryptfsInUse: Yes
InstallationDate: Installed on 2020-01-26 (540 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
Package: shim-signed 1.46+15.4-0ubuntu1
PackageArchitecture: amd64
ProcVersionSignature: Ubuntu 5.11.0-22.23-generic 5.11.21
SecureBoot: 6 0 0 0 1
Tags: hirsute wayland-session
Uname: Linux 5.11.0-22-generic x86_64
UpgradeStatus: Upgraded to hirsute on 2021-05-29 (51 days ago)
UserGroups: adm cdrom dip docker lpadmin lxd plugdev sambashare sudo
_MarkForUpload: True

See original description
Revision history for this message
Chris Guiver (guiverc) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command only once, as it will automatically gather debugging information, in a terminal:

apport-collect 1936759

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

(I realize you cannot boot with the impacted shim package; but please run this command on the same box using the prior shim package to enable boot. Thank you for taking the time to report)

Revision history for this message
Julian Andres Klode (juliank) wrote :

Please also test the shim-signed 1.50+... binaries in proposed.

If they do not work, please run mokutil --set-verbosity true and reboot and capture the output with a camera such that we can see verbose logging.

Thank you!

Changed in shim-signed (Ubuntu):
status: New → Incomplete
Revision history for this message
Jacques Williamson (jckbuntu) wrote : BootEFIContents.txt

apport information

tags: added: apport-collected hirsute wayland-session
description: updated
Revision history for this message
Jacques Williamson (jckbuntu) wrote : Dependencies.txt

apport information

Revision history for this message
Jacques Williamson (jckbuntu) wrote : EFITables.txt

apport information

Revision history for this message
Jacques Williamson (jckbuntu) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
Jacques Williamson (jckbuntu) wrote : ProcEnviron.txt

apport information

Revision history for this message
Jacques Williamson (jckbuntu) wrote :

~guiverc - Please see above for the apport-collect output.
~juliank - I will try the proposed shim-signed 1.50+ as update shortly.

Revision history for this message
Jacques Williamson (jckbuntu) wrote :

$ sudo apt install shim-signed=1.50+15.4-0ubuntu7
... from proposed packages, followed by a reboot with secure boot enabled has the same result, stuck on UEFI vendor firmware logo.

Trying to capture additional logging for you next.

Revision history for this message
Jacques Williamson (jckbuntu) wrote :

With shim-signed 1.48+15.4-0ubuntu5 installed and secure boot enabled, I also ran:
$ sudo mokutil --set-verbosity true
... rebooted, and captured output in a video as requested. See here (attaching to this ticket failed):
https://drive.google.com/file/d/1TBqolT2q552pK8RnDnMI7n7nIo0q8c9K/view?usp=sharing

I notice in the output there are references to "VMware", possibly relevant, I did follow steps very similar to this post (importing a self signed cert with mokutil) a while ago in order to get VMware to work:
https://communities.vmware.com/t5/VMware-Workstation-Player/VMMON-and-VMNET-Unable-to-install-modules-after-VMware-16-1-0/m-p/2836493/highlight/true#M36511

However, no previous signed shim version had any issues with this. Did Microsoft start signing shim's with new PKI data recently that my Dell UEFI firmware doesn't know about yet? (new secure boot keys?)

Thanks for your help in looking through my report.

Julian Andres Klode (juliank)
Changed in shim-signed (Ubuntu):
status: Incomplete → New
Revision history for this message
Julian Andres Klode (juliank) wrote :

If you could try the 1.47+15.4-0ubuntu2 binaries as well, that'd be great, you can find them via launchpad:

https://launchpad.net/ubuntu/+source/shim-signed/1.47/+build/21482148

If this fails, the issue is one of the three patches in there

Revision history for this message
Jacques Williamson (jckbuntu) wrote :

The suggested v1.47 package worked! I did:

wget https://launchpad.net/ubuntu/+source/shim-signed/1.47/+build/21482148/+files/shim-signed_1.47+15.4-0ubuntu2_amd64.deb
sudo dpkg -i ./sudo dpkg -i ./shim-signed_1.47+15.4-0ubuntu2_amd64.deb
... followed by a reboot, worked! (Booted OK with secure boot enabled). So I tried 1.48 again...
sudo apt install shim-signed=1.48+15.4-0ubuntu5
... followed by a reboot, did not work (Same as original report)

Revision history for this message
Julian Andres Klode (juliank) wrote :

We discussed this a bit upstream and we believe this to be random, and not a regression in those later 15.4 updates.

Apparently there is a buffer overflow in shim that makes it override memory of other EFI components, and depending on where that triggers, it can cause all sorts of random boot failures.

The fix for that, https://github.com/rhboot/shim/pull/365, has been merged for the upcoming 15.5 shim release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.