Re: fbx64.efi hangs after Debian 10.10 shim update

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

Hello,

Le 21/06/2021 à 21:12, Pascal Hambourg a écrit :
> Le 21/06/2021 à 19:44, Steve McIntyre a écrit :
> > On Sun, Jun 20, 2021 at 07:44:58PM +0200, Pascal Hambourg wrote:
> > > I have Debian 10 amd64 installed on an old HP EliteBook 2570p. The UEFI
> > > firmware seems to ignore the EFI boot entries and only be able to 
> > > boot from
> > > the removable device path EFI\BOOT\BOOTX64.EFI by default. After each 
> > > boot a
> > > new "debian" EFI boot entry was added, so I removed
> > > /boot/efi/EFI/BOOT/fbx64.efi to avoid this. So far so good.
> >
> > OK.
> >
> > > After the latest shim update which ran grub-install and installed the 
> > > new
> > > /boot/efi/EFI/BOOT/fbx64.efi, UEFI boot hangs with no error message, 
> > > only the
> > > HP logo, and GRUB does not show up.
> > >
> > > Using "Boot from EFI file" in the firmware boot menu, it appears that :
> > > - grubx64.efi (from either EFI\debian or EFI\BOOT) works
> > > - shimx64.efi (from EFI\debian) works
> > > - BOOTX64.efi (from EFI\BOOT) hangs
> > > - fbx64.efi (from either EFI\debian or EFI\BOOT) hangs
> > >
> > > So as a workaround, I removed /boot/efi/EFI/BOOT/fbx64.efi again.
> >
> > OK. That's surprising, any I imagine annoying for you. :-/
>
> Not really, as I would have removed fbx64.efi anyway to avoid creating 
> multiple debian entries. I am actually expecting trouble with this EFI 
> setup, it serves as a kind of sentinel. If I wanted no trouble, I would 
> remove the shim and grub signed stuff as I do not use secure boot, or 
> even disable EFI boot and enable only the BIOS boot. But that would be 
> boring.
>
> > If you're prepared to help with testing the problem here (please!),
> > could you please:
> >
> > 1. run "mokutil --set-verbosity true" from the Linux command line (as
> >     root)
> > 2. put the fbx64.efi file in place again (grub-install should do that)
> > 3. reboot and try to capture any output
>
> Done.
> First screen with blue frame saying "Secure boot not enabled - OK"
> After a long list of scrolled "mok.c:" lines ending with "returning 
> Success", the last lines before it stops are (partial, copied by hand) :
>
> shim.c:1727:shim_init() UEFI SHIM
> $Version: 15.4 $
> $BuildMachine: buildhost $
> $Commit: XXXX $
> shim.c:898:load_image() attempting to load \EFI\Boot\fbx64.efi
> pe.c:574:generate_hash() sha1 authenticode hash:
> pe.c:575:generate_hash() (2 lines of XX and hex codes)
> pe.c:576:generate_hash() sha256 authenticode hash:
> pe.c:577:generate_hash() (2 more lines of hex codes)
> pe.c:1057:handle_image() sbat section base:0xB9DED000 size:0xC6

More information :

The firmware has two UEFI boot modes : Hybrid (with CSM) and Native 
(without CSM). In hybrid mode, secure boot is disabled. In native mode, 
secure boot can be enabled or disabled.

Until now I always used hybrid mode which allows either EFI and legacy 
BIOS boot. I discovered that the issue happens only in hybrid mode, not 
in native mode. In native mode with secure boot disabled, here are the 
next lines displayed after the above lines :

shim.c:1926:efi_main() vendor_authorized:0xB9BA6010 
vendor_authorized_size:930
shim.c:1928:efi_main() vendor_deauthorized:0xB9BA63B2 
vendor_deauthorized_size:8664
sbat.c:346:set_sbat_uefi_variable() SbatLevel variable is 18 bytes, 
attributes are 0x00000003

Then the blue frame "Secure boot not enabled" is displayed again 
(supposedly when \EFI\debian\shimx64.efi is executed).

With secure mode enabled the frame is not displayed so it does not pause 
and allow me to see anything until GRUB menu is displayed.

FWIW, the latest shim-helpers-amd64-signed 1+15.4+6~deb10u1 from 
buster-proposed-updates did not fix the issue.