[Bug 1274749] Re: sbkeysync fails with 'Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting' with 14.04 ovmf

Jamie Strandboge jamie at ubuntu.com
Fri Jan 31 03:55:48 UTC 2014 

Ok, I just now booted with bios.bin from
http://people.canonical.com/~jamie/ovmf/ that I built when first using
OVMF with quantal and have the same results as in comment #2. My
thinking is that  something must have changed incompatibly with newer
kernels.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1274749

Title:
  sbkeysync fails with 'Can't access efivars filesystem at
  /sys/firmware/efi/efivars, aborting' with 14.04 ovmf

Status in “sbsigntool” package in Ubuntu:
  New

Bug description:
  Due to bug #1274376 I installed Ubuntu 13.10 in a VM with ovmf
  0~20121205.edae8d2d-1, shutdown the vm and then upgraded ovmf to
  0~20131029.2f34e065-1 since I found that after repeated reboots when
  using 0~20121205.edae8d2d-1 ovmf had trouble finding the disk (I don't
  know why-- I couldn't find a simple reproducer).

  So, when using  ovmf 0~20131029.2f34e065-1 if I try to install secure
  boot keys as per the instructions in
  https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key,
  sbkeysync fails. Eg:

  $ sbkeysync --verbose --pk --dry-run
  Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

  I used the sb-setup command as per
  https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key:

  $ cd /tmp
  $ ./sb-setup enroll microsoft
  Creating keystore...
    mkdir '/etc/secureboot/keys'
    mkdir '/etc/secureboot/keys/PK'
    mkdir '/etc/secureboot/keys/KEK'
    mkdir '/etc/secureboot/keys/db'
    mkdir '/etc/secureboot/keys/dbx'
  done

  Creating keys... done

  Generating key updates for PK...
    using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
    creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
    creating signed update (test-cert.der.siglist.PK.signed)...
  done
  Generating key updates for KEK...
    using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
    creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
    creating signed update (test-cert.der.siglist.KEK.signed)...
  done
  Generating key updates for KEK...
    using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4
    creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)...
    creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)...
  done
  Generating key updates for db...
    using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476
    creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)...
    creating signed update (microsoft-pca-public.der.siglist.db.signed)...
  done
  Generating key updates for db...
    using GUID=97ff929d-201f-44ef-8514-385958672418
    creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)...
    creating signed update (microsoft-uefica-public.der.siglist.db.signed)...
  done
  Initializing keystore...
    adding to /etc/secureboot/keys/PK/
    adding to /etc/secureboot/keys/KEK/
    adding to /etc/secureboot/keys/db/
  done

  Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
  Commit to keystore? (y|N) n
  $

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1274749/+subscriptions

More information about the foundations-bugs mailing list