[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fresh-installed Debian 10 (UEFI, LUKS&LVM) not accessible through Secure Boot

Hi,

Thank you Didier&Pascal for your answers.

2 janv. 2020 à 11:35 de didier.gaumet@gmail.com:

> It does not seem normal to me and possible causes could be (in no particular order):
> - a bug in Debian (and particularly if you installed from a Debian live image?).
>
I've used https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.2.0-amd64-netinst.iso

> - an installation that went wrong for some reason (it would then probably profitable to verify if the shim* packages are installed and properly configured)
>
/boot/efi/EFI/debian/shimx64.efi exists (-rwx------ 1 root root 1322936 déc.  31 14:08 shimx64.efi).

# mokutil -l
MokListRT is empty

# mokutil -N
MokNew is empty

# mokutil --pk
1 key:
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=Lenovo Ltd. PK CA 2012

# mokutil --kek
2 keys:
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=Lenovo Ltd. KEK CA 201
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011

# mokutil --db
4 keys:
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=ThinkPad Product CA 2012
Subject: C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011

# mokutil --dbx
1 key

What kind of verifications do you suggest?

> - a feature or a bug in the Lenovo implementation of your UEFI that prevents from booting particurlarly Debian or generally any other OS than Windows. I would try, if possible,  different setups of the UEFI to see if there is an improvement
>
UEFI booting on Debian works without Secure Boot.
Here is my configuration:

efibootmgr -vBootCurrent: 0001Timeout: 0 secondsBootOrder: 0001,001D,001E,001C,001F,0020,0024,0021,001B,0023,0022,0012,0011Boot0001* Debian stable	HD(1,GPT,8fef416a-08fc-4072-b8df-8f49e1756498,0x8a800,0xee800)/File(\EFI\debian\grubx64.efi)Boot0010  ThinkShield secure wipe	FvFile(3593a0d5-bd52-43a0-808e-cbff5ece2477)Boot0011* LENOVO CLOUD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri(https://download.lenovo.com/pccbbs/cdeploy/efi/boot.efi)Boot0012* HTTPS BOOT	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri()Boot0013  Setup	FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)Boot0014  Boot Menu	FvFile(126a762d-5758-4fca-8531-201a7f57f850)Boot0015  Diagnostic Splash Screen	FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)Boot0016  Lenovo Diagnostics	FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)Boot0017  Regulatory Information	FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)Boot0018  Startup Interrupt Menu	FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)Boot0019  Rescue and Recovery	FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)Boot001A  MEBx Hot Key	FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)Boot001B* USB CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)Boot001C* USB FDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)Boot001D* NVMe0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)Boot001E* NVMe1	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a401)Boot001F* ATA HDD0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f602)Boot0020* ATA HDD1	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f601)Boot0021* USB HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)Boot0022* PXE BOOT	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)Boot0023* Other CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35406)Boot0024* Other HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f606)Boot0025* IDER BOOT CDROM	PciRoot(0x0)/Pci(0x14,0x0)/USB(11,1)Boot0026* IDER BOOT Floppy	PciRoot(0x0)/Pci(0x14,0x0)/USB(11,0)Boot0027* ATA HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)Boot0028* ATAPI CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)

ls -lR /boot/efi/EFI
/boot/efi/EFI:
total 4
drwx------ 2 root root 4096 déc.  31 14:08 debian

/boot/efi/EFI/debian:
total 5208
-rwx------ 1 root root     108 déc.  31 14:08 BOOTX64.CSV
-rwx------ 1 root root 1206824 déc.  31 14:08 fbx64.efi
-rwx------ 1 root root     112 déc.  31 14:08 grub.cfg
-rwx------ 1 root root 1529200 déc.  31 14:08 grubx64.efi
-rwx------ 1 root root 1261192 déc.  31 14:08 mmx64.efi
-rwx------ 1 root root 1322936 déc.  31 14:08 shimx64.efi

1 janv. 2020 à 18:13 de pascal@plouf.fr.eu.org:

> Secure boot does not prevent booting when an unsigned kernel module is present, it would only prevent loading such module.
>
So why can't I boot at all? This is not just about some components or drivers here, I can't boot anything...
Are there some UEFI logs somewhere? It could help to grab some more details...

Best regards,
l0f4r0
Reply to: