[Bug 1939306] Re: latest shim-signed fails on Lenovo T480 with Secure boot

Valtteri Vuorikoski 1939306 at bugs.launchpad.net
Sat Aug 21 16:40:45 UTC 2021 

Not clear if it's the same issue, but on a Thinkpad T14s, new shim fails
to boot anything except the Canonical-signed grub. Both hash and key
MOKs seem to be ignored (blue screeen with Security Violation 0x1A for
signed executables). Downgrading to the version of shim-signed specified
in the initial report makes hash and key MOKs work again. shim verbose
reporting was not checked.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1939306

Title:
  latest shim-signed fails on Lenovo T480 with Secure boot

Status in shim-signed package in Ubuntu:
  Confirmed

Bug description:
  As in the summary, the booting process using the latest shim-signed
  fails on Lenovo T480 with the Secure boot enabled: it ends with the
  black screen. When Secure boot is disabled, the booting process
  completes successfully.

  I collected some logs with `sudo mokutil --set-verbosity true` (see
  attachment).

  I confirm that `grubx64.efi` is where expected.

  The workaround is to downgrade the package version:
  sudo apt install shim-signed=1.40.3+15+1533136590.3beb971-0ubuntu1 shim=15+1533136590.3beb971-0ubuntu1

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: shim-signed 1.40.6+15.4-0ubuntu7
  ProcVersionSignature: Ubuntu 5.4.0-80.90-generic 5.4.124
  Uname: Linux 5.4.0-80-generic x86_64
  .proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] Nie ma takiego pliku ani katalogu: '/proc/sys/kernel/moksbstate_disabled'
  ApportVersion: 2.20.11-0ubuntu27.18
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: GNOME
  Date: Mon Aug  9 16:05:10 2021
  EFITables:
   sie 09 16:04:39 adrian-laptop kernel: efi: EFI v2.50 by Lenovo
   sie 09 16:04:39 adrian-laptop kernel: efi:  TPMFinalLog=0x6b58a000  SMBIOS=0x6a62c000  SMBIOS 3.0=0x6a629000  ACPI=0x6b5fe000  ACPI 2.0=0x6b5fe014  ESRT=0x6a4b6000  MEMATTR=0x64799018  TPMEventLog=0x5e5ea018 
   sie 09 16:04:39 adrian-laptop kernel: secureboot: Secure boot enabled
   sie 09 16:04:39 adrian-laptop kernel: esrt: Reserving ESRT space from 0x000000006a4b6000 to 0x000000006a4b6100.
   sie 09 16:04:39 adrian-laptop kernel: secureboot: Secure boot enabled
  InstallationDate: Installed on 2018-04-05 (1222 days ago)
  InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228)
  SecureBoot: 6   0   0   0   1
  SourcePackage: shim-signed
  UpgradeStatus: Upgraded to focal on 2020-10-28 (284 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1939306/+subscriptions

More information about the foundations-bugs mailing list