[Bug 1578837] [NEW] Secure Boot failure on Lenovo x3550 M5

Rod Smith rod.smith at canonical.com
Thu May 5 21:48:52 UTC 2016 

Public bug reported:

When doing certification testing of Ubuntu 16.04 on a Lenovo x3550 M5,
we've found a Secure Boot failure. After installing via MAAS with Secure
Boot DISABLED, we've enabled Secure Boot. The following appears on the
screen (SOL session):

No key pressed. Preparing to boot normally...
>>Start PXE over IPv4.
  Station IP address is 10.1.10.17

  Server IP address is 10.1.10.1
  NBP filename is bootx64.efi
  NBP filesize is 1289424 Bytes
 Downloading NBP file...

  Succeed to download NBP file.

 Downloading NBP file...

  Succeed to download NBP file.
Fetching Netboot Image

Booting local disk...
/EndEntire
file path: /ACPI(a0341d0,0)/PCI(0,1)/PCI(0,0)/Ctrl(0)/SCSI(0,0)
/HD(15,800,100000,ae01bc523f0af546,2,2)/File(\efi\ubuntu)/File(shimx64.efi)/EndEntire
error: cannot load image.

Press any key to continue...

Pressing a key at this point produces a GRUB menu containing nothing but
a "Local" option. Selecting that option causes a return of the "Booting
local disk..." message and failure.

Disabling Secure Boot produces the same sequence, except that "error:
cannot load image" does NOT appear, a GRUB menu with an "Ubuntu" option
appears briefly, and the system boots normally.

Note that Secure Boot DOES work normally in a MAAS environment on other
computers, such as Cisco C220 M4 and C240 M4 and an Intel NUC
DC53427HYE. (The NUC, however, required a firmware update to work with
Secure Boot active.)

This may well be a firmware bug, but I'm reporting it against Shim
because it could be it's a Shim bug that's interacting with the firmware
or there may be something Shim can do to work around the problem.

Version information:

$ lsb_release -rd
Description:	Ubuntu 16.04 LTS
Release:	16.04
$ apt-cache policy shim
shim:
  Installed: 0.8-0ubuntu2
  Candidate: 0.8-0ubuntu2
  Version table:
 *** 0.8-0ubuntu2 500
        500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
ubuntu at oil-jolteon:~$ apt-cache policy shim-signed
shim-signed:
  Installed: 1.12+0.8-0ubuntu2
  Candidate: 1.12+0.8-0ubuntu2
  Version table:
 *** 1.12+0.8-0ubuntu2 500
        500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

** Affects: shim (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1578837

Title:
  Secure Boot failure on Lenovo x3550 M5

Status in shim package in Ubuntu:
  New

Bug description:
  When doing certification testing of Ubuntu 16.04 on a Lenovo x3550 M5,
  we've found a Secure Boot failure. After installing via MAAS with
  Secure Boot DISABLED, we've enabled Secure Boot. The following appears
  on the screen (SOL session):

  No key pressed. Preparing to boot normally...
  >>Start PXE over IPv4.
    Station IP address is 10.1.10.17

    Server IP address is 10.1.10.1
    NBP filename is bootx64.efi
    NBP filesize is 1289424 Bytes
   Downloading NBP file...

    Succeed to download NBP file.

   Downloading NBP file...

    Succeed to download NBP file.
  Fetching Netboot Image

  Booting local disk...
  /EndEntire
  file path: /ACPI(a0341d0,0)/PCI(0,1)/PCI(0,0)/Ctrl(0)/SCSI(0,0)
  /HD(15,800,100000,ae01bc523f0af546,2,2)/File(\efi\ubuntu)/File(shimx64.efi)/EndEntire
  error: cannot load image.

  Press any key to continue...

  Pressing a key at this point produces a GRUB menu containing nothing
  but a "Local" option. Selecting that option causes a return of the
  "Booting local disk..." message and failure.

  Disabling Secure Boot produces the same sequence, except that "error:
  cannot load image" does NOT appear, a GRUB menu with an "Ubuntu"
  option appears briefly, and the system boots normally.

  Note that Secure Boot DOES work normally in a MAAS environment on
  other computers, such as Cisco C220 M4 and C240 M4 and an Intel NUC
  DC53427HYE. (The NUC, however, required a firmware update to work with
  Secure Boot active.)

  This may well be a firmware bug, but I'm reporting it against Shim
  because it could be it's a Shim bug that's interacting with the
  firmware or there may be something Shim can do to work around the
  problem.

  Version information:

  $ lsb_release -rd
  Description:	Ubuntu 16.04 LTS
  Release:	16.04
  $ apt-cache policy shim
  shim:
    Installed: 0.8-0ubuntu2
    Candidate: 0.8-0ubuntu2
    Version table:
   *** 0.8-0ubuntu2 500
          500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  ubuntu at oil-jolteon:~$ apt-cache policy shim-signed
  shim-signed:
    Installed: 1.12+0.8-0ubuntu2
    Candidate: 1.12+0.8-0ubuntu2
    Version table:
   *** 1.12+0.8-0ubuntu2 500
          500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1578837/+subscriptions

More information about the foundations-bugs mailing list