EFI secure boot failure (grubx64.efi instead of shimx64.efi) + nvram space filled with kernel debug data

[Zygmunt Krynicki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

This is a short update from a debugging session that started after my
raring 3.8.0-something, I believe -5, kernel failed to boot. My
firmware got me something looking like [1].

After disabling secure boot I discovered that my keyboard / touchpad
no longer work. I could work with a spare USB keyboard. Trying
additional upgrades did not help and I could not re-enable secure boot.

I joined #ubuntu-devel and started asking for help. I got great
support from slangasek (who will probably remind me to add essential
data that I may have omitted typing this at 1AM).

The debugging session found a few interesting problems:

1) efibootmgr -v listed grubx64.efi instead of shimx64.efi - we
believe that is the imminent cause of the secure boot failure as only
shimx64.efi is signed by the microsoft key


2) attempts to add the shim failed on lack of space, as shown below:

# efibootmgr -c -d /dev/sda -p 1 -w -L ubuntu -l '\EFI\ubuntu\shimx64.efi'
# echo $?
# cat relevant part of strace
open("/sys/firmware/efi/vars/new_var", O_WRONLY) = 3
write(3,
"B\0o\0o\0t\0000\0000\0000\0004\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
2084) = -1 ENOSPC (No space left on device)

3) my efi variable flash/nvram was filled with debug entries from
numerous kernel oopses that I've encountered over the past few months.
It is questionable if oopses should be logged at all and if there
should be a mechanism that keeps data in nvram all the time. My
suggestion would be to not log oopses at all and definitely copy
debug- entries to the filesystem after each boot so that we don't keep
unbound amount of data there

4) attempts to rsync all efivars to disk before removing debug-*
variables crashed my system (I have photos of the backtrace if anyone
is interested).

5) rebooting after that worked fine (in non-secure mode)

6) removing debug-* variables worked okay

7) re-issuing efibootmgr command to install the shim worked okay

8) a reboot into secure mode worked okay but I lost my keyboard and
touchpad again (probably unrelated but I cannot be sure)

9) another reboot got keyboard / touchpad / secure boot to work

Somewhere early on I've downgraded grub2 to the previous version
(slangasek mentioned there was a recent upgrade and I still had the
old version on my local mirror)

Our conversation was logged on the #ubuntu-devel channel, I've posted
numerous pastebins to more detail. The conversation starts here [2]

I'd like to file bugs on the kernel debug / backtrace behavior as that
seems most serious to me. I'd like to file a bug on the grubx64.efi
image but I have no information that I can add that would seem
helpful. Perhaps if more people are affected this can go somewhere.

Thanks Steve!
ZK

[1]: https://plus.google.com/116315264177593873442/posts/9UUGFQ2cphM

[2]: http://irclogs.ubuntu.com/2013/04/10/%23ubuntu-devel.html#t20:47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRZfIiAAoJECiU6TooxntHoGwP/3wR8YQGbQL+7PVwTBDT94kx
wdiNGp0+sWTvXjK4n+ReylrWvZweZRvSCYgsGhgJAPKChJRpzz+ka31s/rgVzQ7/
IuvpoL5hWoXGc3K+tu5aH+SQkm9vx5UTWGIu0NW545lMivpvE81ghgsx0dRLYMyF
tjaKu3lXj7hTptaEkrVb9sPIxNSVoSGp9fQcxprVrFNeOV0FG/ADsCPud/GPNPhL
iaW82HiqTSAXHB85nwk5wJMqeU8gPaLNs884s5zMFEs7IEcPDFjtQ5dj6U6b92x7
Unyt2/jLaR0NiNI5OzTp7RZH8oc8fchSqI+BHXp2b47WdKcqxbYCD2XOmFTMpHVt
ziGNbDXec2BavKLvc42/GgHCMwNJNhrPWvQEa8lOaSFadZS2e8qY1xHWxzNpTOyS
y6g0jifzzqHpc7Fubmvyq0qJyimXJWeRUfDe9taG1CNX/WhEti8JGwHYnZqI0dYE
HBdk4CBADQzSm7dxeRxwvqQ/PzfW6yNzOaI8Imq7qwgR1x6Ks4IAkKt7FAVWDxAJ
FWHUFoZmVreR8zsxdUMkymFh3vH/oECilEMoFfQNxXaYazK5Nq53BW2g2+Go/X7V
wPgSmJ/+UfJEOJwfWnqLEcXlJ4bP8K8Zsmat0ezvqF3A0q8qFn7cBa5KjYQjgLbV
+ud5z7BxwZmSD2hwrVik
=452y
-----END PGP SIGNATURE-----