search

fedora-silverblue / issue-tracker

Fedora Silverblue issue tracker
https://fedoraproject.org/atomic-desktops/silverblue/
123 stars 3 forks source link

Properly re-enable Secure Boot on Silverblue 36 (or 37) after updating dbx from 77 -> 217 #375

Closed jmaibaum closed 1 year ago

jmaibaum commented 2 years ago

Describe the bug On a Dell XPS 13 9360, running Silverblue 36:

  1. Because the Secure Boot dbx 77 -> 217 update failed with Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/fedora/shimx64-fedora.efi Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx, I first tried https://github.com/fedora-silverblue/issue-tracker/issues/120#issuecomment-1177515110
  2. This led to Verification failed: (0x1A) Security Violation during Secure Boot verification, so I had to disable Secure Boot
  3. Afterwards, moving the offending /boot/efi/EFI/fedora/shimx64-fedora.efi away from /boot allowed fwupdmgr update to apply the dbx update, but I still can't re-enable Secure Boot (Verification failed: (0x1A) Security Violation reappears).

It seems that I haven't found a proper way to repair the EFI partition I messed up in step 1 above for Secure Boot to work correctly again.

To Reproduce I guess you need a Dell XPS 13 9630 with Secure Boot dbx on v77, and then try to update from a Fedora Silverblue 36 instance, following the steps above to end up where I am now. Likely not very easy, but maybe someone knows a way to fix this?

Expected behavior I expect to be able to re-enable Secure Boot successfully i.e. without running into Verification failed: (0x1A) Security Violation.

OS version:

$ rpm-ostree status -b
State: idle
BootedDeployment:
● fedora:fedora/36/x86_64/silverblue
                  Version: 36.20221030.0 (2022-10-30T20:23:04Z)
               BaseCommit: e44ce7c32fb5ecccd3c6d89f89fee4a97e4c67bd0aa285cf9c4a4482a89487b4
             GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4
          LayeredPackages: flatpak-builder gnome-info-collect gstreamer1-plugin-openh264
                           openssl simple-scan

Additional context See comments following https://github.com/fedora-silverblue/issue-tracker/issues/120#issuecomment-1296783211

jmaibaum commented 1 year ago

I have rebased to Fedora Silverblue 37, and I tried https://github.com/fedora-silverblue/issue-tracker/issues/120#issuecomment-1177515110 again like this today:

sudo rpm-ostree usroverlay 
wget https://kojipkgs.fedoraproject.org//packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm
sudo rpm -i --reinstall shim-x64-15.6-2.x86_64.rpm

But I still get a security violation when I try to re-enable Secure Boot. This is on:

State: idle
BootedDeployment:
● fedora:fedora/37/x86_64/silverblue
                  Version: 37.20221121.0 (2022-11-21T00:40:40Z)
               BaseCommit: 49aa5ac9fcd95fff3b4f5becbd39d5a936228404e4689868f64c8cfb3596f95b
             GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
          LayeredPackages: flatpak-builder gnome-info-collect gstreamer1-plugin-openh264 openssl
                           simple-scan
jmaibaum commented 1 year ago

This is the fedora directory in the EFS:

# ls -lah /boot/efi/EFI/fedora/
total 5.2M
drwx------. 4 root root 4.0K Nov 21 20:46 .
drwx------. 5 root root 4.0K Nov 21 20:42 ..
-rwx------. 1 root root  110 Jul  7 21:36 BOOTX64.CSV
drwx------. 2 root root 4.0K Aug 18 20:41 fonts
drwx------. 2 root root 4.0K Aug 18 20:41 fw
-rwx------. 1 root root  61K Aug 18 20:41 fwupdx64.efi
-rwx------. 1 root root 8.1K Nov 21 20:32 grub.cfg
-rwx------. 1 root root 8.1K Nov 20 20:12 grub.cfg.old
-rwx------. 1 root root 1.0K Nov 21 20:46 grubenv
-rwx------. 1 root root 1.0K Aug 18 20:41 grubenvSQmLMu
-rwx------. 1 root root 2.4M Aug 18 20:41 grubx64.efi
-rwx------. 1 root root 838K Jul  7 21:36 mmx64.efi
-rwx------. 1 root root 925K Jul  7 21:36 shim.efi
-rwx------. 1 root root 925K Jul  7 21:36 shimx64.efi

And this is BOOT:

# ls -lah /boot/efi/EFI/BOOT
total 1.1M
drwx------. 2 root root 4.0K Nov 21 20:35 .
drwx------. 5 root root 4.0K Nov 21 20:42 ..
-rwx------. 1 root root 925K Jul  7 21:36 BOOTX64.EFI
-rwx------. 1 root root  89K Jul  7 21:36 fbx64.efi
travier commented 1 year ago

Closing as a duplicate of https://github.com/fedora-silverblue/issue-tracker/issues/355