EFI secure boot failure (grubx64.efi instead of shimx64.efi) + nvram space filled with kernel debug data

Zygmunt Krynicki zygmunt.krynicki at canonical.com
Wed Apr 10 23:13:42 UTC 2013

Hash: SHA1


This is a short update from a debugging session that started after my
raring 3.8.0-something, I believe -5, kernel failed to boot. My
firmware got me something looking like [1].

After disabling secure boot I discovered that my keyboard / touchpad
no longer work. I could work with a spare USB keyboard. Trying
additional upgrades did not help and I could not re-enable secure boot.

I joined #ubuntu-devel and started asking for help. I got great
support from slangasek (who will probably remind me to add essential
data that I may have omitted typing this at 1AM).

The debugging session found a few interesting problems:

1) efibootmgr -v listed grubx64.efi instead of shimx64.efi - we
believe that is the imminent cause of the secure boot failure as only
shimx64.efi is signed by the microsoft key

2) attempts to add the shim failed on lack of space, as shown below:

# efibootmgr -c -d /dev/sda -p 1 -w -L ubuntu -l '\EFI\ubuntu\shimx64.efi'
# echo $?
# cat relevant part of strace
open("/sys/firmware/efi/vars/new_var", O_WRONLY) = 3
2084) = -1 ENOSPC (No space left on device)

3) my efi variable flash/nvram was filled with debug entries from
numerous kernel oopses that I've encountered over the past few months.
It is questionable if oopses should be logged at all and if there
should be a mechanism that keeps data in nvram all the time. My
suggestion would be to not log oopses at all and definitely copy
debug- entries to the filesystem after each boot so that we don't keep
unbound amount of data there

4) attempts to rsync all efivars to disk before removing debug-*
variables crashed my system (I have photos of the backtrace if anyone
is interested).

5) rebooting after that worked fine (in non-secure mode)

6) removing debug-* variables worked okay

7) re-issuing efibootmgr command to install the shim worked okay

8) a reboot into secure mode worked okay but I lost my keyboard and
touchpad again (probably unrelated but I cannot be sure)

9) another reboot got keyboard / touchpad / secure boot to work

Somewhere early on I've downgraded grub2 to the previous version
(slangasek mentioned there was a recent upgrade and I still had the
old version on my local mirror)

Our conversation was logged on the #ubuntu-devel channel, I've posted
numerous pastebins to more detail. The conversation starts here [2]

I'd like to file bugs on the kernel debug / backtrace behavior as that
seems most serious to me. I'd like to file a bug on the grubx64.efi
image but I have no information that I can add that would seem
helpful. Perhaps if more people are affected this can go somewhere.

Thanks Steve!

[1]: https://plus.google.com/116315264177593873442/posts/9UUGFQ2cphM

[2]: http://irclogs.ubuntu.com/2013/04/10/%23ubuntu-devel.html#t20:47
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the ubuntu-devel mailing list