Re: Fresh-installed Debian 10 (UEFI, LUKS&LVM) not accessible through Secure Boot
Le vendredi 3 janvier 2020 17:10:04 UTC+1, l0f...@tuta.io a écrit :
[...]
> I've used https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.2.0-amd64-netinst.iso
Good.
I would verify shim* packages are installed and well configured (State/Error flags "ii" at the beginning of the lines);
didier@hp-notebook14:~$ sudo dpkg -l shim*
Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder
| État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé/W=attend-traitement-déclenchements
|/ Err?=(aucune)/besoin Réinstallation (État,Err: majuscule=mauvais)
||/ Nom Version Architecture Description
+++-=========================-============================-============-================================================================
un shim <aucune> <aucune> (aucune description n'est disponible)
ii shim-helpers-amd64-signed 1+15+1533136590.3beb971+7 amd64 boot loader to chain-load signed boot loaders (signed by Debian)
ii shim-signed:amd64 1.33+15+1533136590.3beb971-7 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ii shim-signed-common 1.33+15+1533136590.3beb971-7 all Secure Boot chain-loading bootloader (common helper scripts)
ii shim-unsigned 15+1533136590.3beb971-7 amd64 boot loader to chain-load signed boot loaders under Secure Boot
then I would verify if what I think is necessary is present : a third party Microsoft tool (but perhaps I am wrong):
didier@hp-notebook14:~$ sudo mokutil --db | grep -i issuer
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Issuer: C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA
didier@hp-notebook14:~$ sudo mokutil --kek | grep -i issuer
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Issuer: C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA
I reach there my limitations to understand clearly how SecureBoot and UEFI work, but on my laptop, the Microsoft Thir Party thing seems to be enabled when enrolling something called "HP factory keys" or something of the same kind (I have forgotten the exact name) in the HP UEFI interface. But perhaps on your Lenovo you have ton confirm (by entering a code prompted by the UEFI, for example) at boot time that you really want to enroll keys that the shim is trying to install.
So I would try this:
sudo dpkg-reconfigure shim-helpers-amd64-signed shim-signed:amd64 shim-signed-common shim-unsigned
and then reboot and see if the UEFI ask me to confirm any change and verify if SecureBoot is really on:
didier@hp-notebook14:~$ sudo mokutil --sb-state
SecureBoot disabled !(in my case that is volontary)
> efibootmgr [...]
I am persuaded that efibootmgr/efivar & al may present perfect informations but are sometimes superseded by the manufacturer implementation of the UEFI standard
Reply to: