Secure Boot failure on Lenovo x3550 M5
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
When doing certification testing of Ubuntu 16.04 on a Lenovo x3550 M5, we've found a Secure Boot failure. After installing via MAAS with Secure Boot DISABLED, we've enabled Secure Boot. The following appears on the screen (SOL session):
No key pressed. Preparing to boot normally...
>>Start PXE over IPv4.
Station IP address is 10.1.10.17
Server IP address is 10.1.10.1
NBP filename is bootx64.efi
NBP filesize is 1289424 Bytes
Downloading NBP file...
Succeed to download NBP file.
Downloading NBP file...
Succeed to download NBP file.
Fetching Netboot Image
Booting local disk...
/EndEntire
file path: /ACPI(a0341d0,
/HD(15,
error: cannot load image.
Press any key to continue...
Pressing a key at this point produces a GRUB menu containing nothing but a "Local" option. Selecting that option causes a return of the "Booting local disk..." message and failure.
Disabling Secure Boot produces the same sequence, except that "error: cannot load image" does NOT appear, a GRUB menu with an "Ubuntu" option appears briefly, and the system boots normally.
Note that Secure Boot DOES work normally in a MAAS environment on other computers, such as Cisco C220 M4 and C240 M4 and an Intel NUC DC53427HYE. (The NUC, however, required a firmware update to work with Secure Boot active.)
This may well be a firmware bug, but I'm reporting it against Shim because it could be it's a Shim bug that's interacting with the firmware or there may be something Shim can do to work around the problem.
Version information:
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy shim
shim:
Installed: 0.8-0ubuntu2
Candidate: 0.8-0ubuntu2
Version table:
*** 0.8-0ubuntu2 500
500 http://
100 /var/lib/
ubuntu@
shim-signed:
Installed: 1.12+0.8-0ubuntu2
Candidate: 1.12+0.8-0ubuntu2
Version table:
*** 1.12+0.8-0ubuntu2 500
500 http://
100 /var/lib/
tags: | added: hwcert-server |
Hi Rod,
On Thu, May 05, 2016 at 09:48:52PM -0000, Rod Smith wrote:
> When doing certification testing of Ubuntu 16.04 on a Lenovo x3550 M5,
> we've found a Secure Boot failure. After installing via MAAS with Secure
> Boot DISABLED, we've enabled Secure Boot. The following appears on the
> screen (SOL session):
> No key pressed. Preparing to boot normally...
> >>Start PXE over IPv4.
> Station IP address is 10.1.10.17
>
> Server IP address is 10.1.10.1
> NBP filename is bootx64.efi
> NBP filesize is 1289424 Bytes
> Downloading NBP file...
> Succeed to download NBP file.
Up to this point, this looks like a successful download of shim (named
bootx64.efi on the server) via PXE.
> Downloading NBP file...
>
> Succeed to download NBP file.
This looks like messages due to shim using the PXE protocol grabbing
grubx64.efi, and is also successful.
> Fetching Netboot Image
This is presumably output from grub, driven by whatever is in the grub.cfg.
Can you provide the grub.cfg that's present on the PXE server? Can you show
tftp logs of what files were downloaded, in what order?
> Booting local disk... 0)/PCI( 0,1)/PCI( 0,0)/Ctrl( 0)/SCSI( 0,0) 800,100000, ae01bc523f0af54 6,2,2)/ File(\efi\ ubuntu) /File(shimx64. efi)/EndEntire
> /EndEntire
> file path: /ACPI(a0341d0,
> /HD(15,
> error: cannot load image.
> Press any key to continue...
Are you expecting the system to boot from local disk at this point? Does
this path being booted from exist? Where does the path for this boot entry
come from, and if the file path exists, is it a proper copy of Ubuntu shim?
> Pressing a key at this point produces a GRUB menu containing nothing but
> a "Local" option. Selecting that option causes a return of the "Booting
> local disk..." message and failure.
I assume this is a boot menu from a grub.cfg provided by the MAAS server,
containing only a single boot entry pointing at the local disk and
configured to autoboot, so if the boot fails it takes you back to the same
menu again.
> Disabling Secure Boot produces the same sequence, except that "error:
> cannot load image" does NOT appear, a GRUB menu with an "Ubuntu" option
> appears briefly, and the system boots normally.
I assume this 'Ubuntu' option is the grub.cfg from the local disk displaying
briefly, only after the point that grub has successfully chainloaded to the
shim+grub on the local disk.
> Note that Secure Boot DOES work normally in a MAAS environment on other
> computers, such as Cisco C220 M4 and C240 M4 and an Intel NUC
> DC53427HYE. (The NUC, however, required a firmware update to work with
> Secure Boot active.)
> This may well be a firmware bug, but I'm reporting it against Shim
> because it could be it's a Shim bug that's interacting with the firmware
> or there may be something Shim can do to work around the problem.
Well, it could be a shim or grub bug, or a firmware bug, or even a maas bug,
depending on the above.
-- www.debian. org/
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://
<email address hidden> ...