Public bug reported: [see debian bug #860716 as well]
I test shim-signed with qemu in secure boot environment. Here is the steps to reproduce a problem: 1) install shim, shim-signed, qemu and ovmf packages 2) get EnrollDefaultKeys.efi from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Workstation/x86_64/os/Packages/e/edk2-ovmf-20170209git296153c5-3.fc27.noarch.rpm 3) create a efi_test directory with shim binaries, grub and EnrollDefaultKeys.efi files mkdir efi_test cp /usr/lib/shim/{shimx64,mmx64,fbx64}.efi.signed efi_test/ rename 's/[.]signed$//' efi_test/* cp /boot/efi/EFI/debian/grubx64.efi efi_test/ [this step is significant] cp EnrollDefaultKeys.efi efi_test/ [see step (2)] 4) so we have in efi_test/ LANG=C ls -la efi_test/ drwxr-xr-x 2 kl kl 4096 Apr 19 12:10 . drwxr-xr-x 5 kl kl 4096 Apr 19 11:52 .. -rw-r--r-- 1 kl kl 20032 Apr 19 11:55 EnrollDefaultKeys.efi -rw-r--r-- 1 kl kl 72144 Apr 19 11:52 fbx64.efi -rwxr-xr-x 1 kl kl 121856 Apr 19 12:10 grubx64.efi -rw-r--r-- 1 kl kl 1168464 Apr 19 12:05 mmx64.efi -rw-r--r-- 1 kl kl 1169528 Apr 19 11:52 shimx64.efi 5) run qemu with ovmf firmware qemu-system-x86_64 -m 1024 -enable-kvm -machine q35,smm=on,accel=kvm \ -bios /usr/share/ovmf/OVMF.fd \ -drive media=disk,file=fat:rw:efi_test 6) import microsoft keys and enable secure boot (from EFI shell) Shell> fs0: FS0:\> EnrollDefaultKeys.efi info: SetupMode=1 SecureBoot=0 SecureBootEnabled=0 CustomMode=0 VendorKeys=1 info: SetupMode=0 SecureBoot=1 SecureBootEnabled=1 CustomMode=0 VendorKeys=0 info: success 7) reboot virtual machine (from EFI shell) FS0:\> reset 8) run shim (from EFI shell) Shell> fs0: FS0:\> shimx64.efi 9) expected result: MokManager (mmx64.efi) will be started 10) actual result: Verification failed: (15) Access Denied Failed to load image: Access Denied start_image() returned Access Denied start_image() returned Access Denied and we back to EFI shell. Thus it's not possible to install user keys or add user loader to trusted binary database. ------------------------------------------------------ The following upsteram patch will resolve a problem: https://github.com/rhinstaller/shim/commit/9f2c83e60e0758c3db387eebaed3f306ad6214a8 ** Affects: shim (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1692373 Title: shim fails to load MokManager (mmx64.efi) in the case of unsigned grub To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1692373/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
