search

lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
60 stars 37 forks source link

Debug "Failed to set SHIM_VERBOSE" #70

Closed ChristopherRabotin closed 10 months ago

ChristopherRabotin commented 11 months ago

Hi there,

I have an issue I have no idea where to start debugging, and I was hoping you had some hints.

When I try to install the G05 Nvidia drivers on OpenSuse Tumbleweed, trying to enroll the keys causes an error on boot and the computer restarts. The only way to "fix" this is by rolling back to a previously working snapshot. That isn't the point of my question:

If I try to enroll the keys as root, I get the following errors:

localhost:/home/cbr # mokutil --import /var/lib/nvidia-pubkeys/MOK-nvidia-gfxG05-470.199.02-54.8-default.der --root-pw 
Failed to enroll new keys
localhost:/home/cbr # mokutil --set-verbosity true
Failed to set SHIM_VERBOSE

Searching for the "shim verbose" error led me to these specific lines: https://github.com/lcp/mokutil/blob/master/src/mokutil.c#L1699-L1701 .

What would be some typical reasons for setting the verbosity to fail ?

Thanks

ChristopherRabotin commented 11 months ago

I think I have a similar issue to #45 . It's a Dell/Alienware desktop from 2018 and had the nvidia drivers some time in the past.

From what I understand, the Secure Boot seems to be set correctly:

# hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 
00000000  06 00 00 00 01                                    |.....|
00000005
# hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c 
00000000  06 00 00 00 00                                    |.....|
00000005
# mokutil --sb-state 
SecureBoot enabled

Some of the commands work:

# mokutil --list-enrolled 
[key 1]
SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Validity
            Not Before: Aug 26 16:12:07 2013 GMT
            Not After : Jul 22 16:12:07 2035 GMT
        Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:df:61:92:7a:a4:fe:83:d1:7d:3b:68:0e:b1:
                    a7:f0:4e:92:93:fc:47:3e:70:2d:4e:88:dc:9a:9e:
                    fa:33:b4:a6:db:0e:23:c1:0d:a8:c1:d5:65:04:84:
                    04:ff:3a:48:18:4f:39:32:e4:ca:4e:f9:04:9e:9f:
                    0f:cd:20:5d:61:ab:a7:00:d8:a5:ff:2b:7f:be:e8:
                    47:c3:2f:5b:02:c8:bb:de:8e:1a:e9:46:d3:86:ef:
                    ff:88:99:90:eb:10:89:b8:8b:3f:3e:a8:07:c6:55:
                    7a:6e:d3:5f:fc:83:3c:3d:16:ed:26:c5:13:73:92:
                    b1:70:1e:22:95:c8:00:6c:25:76:46:f1:a2:d9:d0:
                    b0:98:68:0f:a7:2d:b1:0d:67:89:ca:94:4a:ea:12:
                    c5:91:55:76:7f:6c:7a:2e:f9:18:89:9f:f8:f4:24:
                    43:d5:35:6a:cb:00:0e:2e:ed:4b:e2:5d:09:d8:1b:
                    97:70:99:9e:5a:6f:a6:81:a8:9d:a9:58:76:7d:69:
                    71:82:d3:ba:3a:96:43:9b:f0:da:15:c6:4e:e9:c8:
                    15:b9:e9:cb:c7:e4:71:ce:ea:10:1b:6b:c4:2a:70:
                    01:a9:52:b4:17:de:00:52:cf:7d:e4:fd:0f:4d:03:
                    18:b2:90:28:d4:6f:c4:ae:56:bc:36:60:49:46:8b:
                    6b:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
            X509v3 Authority Key Identifier: 
                keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
                DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
                serial:01
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8a:a3:89:c2:8e:d9:f9:82:0b:f3:33:ce:e9:19:17:17:a3:65:
        80:cd:33:ae:06:51:56:29:b6:38:87:7b:f4:9d:fc:28:8e:aa:
        e0:53:12:0e:3a:60:c7:06:d8:3a:61:76:3b:77:08:f4:94:a4:
        8c:7c:47:3a:99:d8:84:9b:17:cc:20:62:2e:e2:76:e4:c6:36:
        0d:26:e9:2e:53:35:0a:fb:3a:35:93:45:c3:93:82:c1:0b:f3:
        08:e9:57:1f:59:37:a9:d0:6c:69:fb:68:ea:7f:3b:af:d3:f7:
        59:27:8e:d4:c7:96:73:f4:0c:0a:f7:3e:e4:af:6c:8c:c7:7a:
        6f:09:79:f4:41:1f:e3:6f:11:fb:3e:6c:b1:a0:7b:e4:92:b7:
        ca:f9:32:f5:de:c3:b0:73:7d:e3:b3:82:5d:cd:ec:61:dc:fe:
        0c:3e:c6:b5:e7:6c:2d:5d:92:73:ff:ed:aa:6a:a9:9b:66:9e:
        5e:3a:6d:70:b0:31:c0:ce:df:2f:21:10:68:0c:87:f3:77:a0:
        33:31:0a:0f:15:f6:ee:32:88:c5:9a:53:71:cd:0d:1a:a1:28:
        89:d0:bf:f6:56:ac:4b:3b:36:06:2b:01:c5:eb:e5:dc:72:83:
        3d:94:ac:28:83:13:fb:c1:5d:27:9c:13:f6:32:5f:f6:1f:4a:
        b7:3e:53:8a

But others won't do anything:

# mokutil --trust-mok 
password length: 8~16
input password: 
input password again: 
Failed to request new MokListTrustedNew state

Is there a way to add and sign a dummy kernel module that emulates the nvidia driver signing?

ChristopherRabotin commented 11 months ago

When I install the nvidia G05 driver (using zypper), the modinfo shows that the driver is signed:

# modinfo nvidia
filename:       /usr/lib/modules/6.4.11-1-default/updates/nvidia.ko
firmware:       nvidia/470.199.02/gsp.bin
alias:          char-major-195-*
version:        470.199.02
supported:      external
license:        NVIDIA
suserelease:    openSUSE Tumbleweed
srcversion:     9BCF341865EFC344FAC8991
alias:          pci:v000010DEd*sv*sd*bc03sc02i00*
alias:          pci:v000010DEd*sv*sd*bc03sc00i00*
depends:        
retpoline:      Y
name:           nvidia
vermagic:       6.4.11-1-default SMP preempt mod_unload modversions 
sig_id:         PKCS#7
signer:         Local build for nvidia-gfxG05 470.199.02 on 2023-08-27
sig_key:        27:8E:60:D2:76:AA:A7:0F:6C:C7:87:15:E6:7F:24:41:6B:9D:1D:26
sig_hashalgo:   sha256
signature:      66:2F:78:C4:9F:78:1D:98:C5:7B:2D:53:03:39:B8:98:DC:49:30:B4:
        EE:84:2A:D7:0C:06:BD:4B:EC:E0:80:45:D7:35:2A:CE:1B:98:DB:B4:
        F6:7B:E5:76:EC:B9:62:A8:C8:D9:1A:4F:62:E7:C5:C8:1C:E9:8E:64:
        4F:54:BB:AB:4E:7D:D2:46:07:45:A8:E6:57:3C:22:53:DE:F9:75:FE:
        FB:9A:36:24:03:5A:F6:ED:71:56:9A:86:50:97:C9:8D:C7:61:49:6A:
        29:47:36:5E:73:FA:82:BE:E4:47:6A:D1:35:7E:D0:79:19:FB:D6:49:
        42:64:1D:DF:78:91:6C:54:6C:7E:84:50:FE:05:CE:C2:9D:72:4F:2C:
        CE:8F:72:01:9D:4B:0C:D3:B0:0B:89:AD:D5:95:03:85:8A:1E:1E:A6:
        72:73:3C:1C:22:24:0D:0D:A0:5B:88:D8:0E:D2:D6:B6:86:69:B5:7B:
        E0:1C:B6:33:7E:A2:43:56:E8:9B:67:7E:17:E5:33:71:DA:07:0F:43:
        F3:00:61:85:47:84:35:67:10:0D:78:34:81:0A:69:A8:C9:07:C1:ED:
        01:9A:7E:93:3C:F5:8D:92:AC:8A:8F:4A:44:41:B8:DB:72:9C:5A:C7:
        F0:92:C6:48:3E:36:9F:72:8A:A8:9C:3F:8F:77:90:91
parm:           NvSwitchRegDwords:NvSwitch regkey (charp)
parm:           NvSwitchBlacklist:NvSwitchBlacklist=uuid[,uuid...] (charp)
parm:           NVreg_ResmanDebugLevel:int
parm:           NVreg_RmLogonRC:int
parm:           NVreg_ModifyDeviceFiles:int
parm:           NVreg_DeviceFileUID:int
parm:           NVreg_DeviceFileGID:int
parm:           NVreg_DeviceFileMode:int
parm:           NVreg_InitializeSystemMemoryAllocations:int
parm:           NVreg_UsePageAttributeTable:int
parm:           NVreg_RegisterForACPIEvents:int
parm:           NVreg_EnablePCIeGen3:int
parm:           NVreg_EnableMSI:int
parm:           NVreg_TCEBypassMode:int
parm:           NVreg_EnableStreamMemOPs:int
parm:           NVreg_RestrictProfilingToAdminUsers:int
parm:           NVreg_PreserveVideoMemoryAllocations:int
parm:           NVreg_EnableS0ixPowerManagement:int
parm:           NVreg_S0ixPowerManagementVideoMemoryThreshold:int
parm:           NVreg_DynamicPowerManagement:int
parm:           NVreg_DynamicPowerManagementVideoMemoryThreshold:int
parm:           NVreg_EnableGpuFirmware:int
parm:           NVreg_EnableUserNUMAManagement:int
parm:           NVreg_MemoryPoolSize:int
parm:           NVreg_KMallocHeapMaxSize:int
parm:           NVreg_VMallocHeapMaxSize:int
parm:           NVreg_IgnoreMMIOCheck:int
parm:           NVreg_NvLinkDisable:int
parm:           NVreg_EnablePCIERelaxedOrderingMode:int
parm:           NVreg_RegisterPCIDriver:int
parm:           NVreg_RegistryDwords:charp
parm:           NVreg_RegistryDwordsPerDevice:charp
parm:           NVreg_RmMsg:charp
parm:           NVreg_GpuBlacklist:charp
parm:           NVreg_TemporaryFilePath:charp
parm:           NVreg_ExcludedGpus:charp
parm:           rm_firmware_active:charp

However mokutil --list-new returns an empty list.

And if I try to import it, it just fails without any info in dmesg or journalctl:

# mokutil --import /var/lib/nvidia-pubkeys/MOK-nvidia-gfxG05-470.199.02-54.8-default.der --root-pw 
Failed to enroll new keys
lcp commented 11 months ago

It seems to me that the firmware rejected to create any non-volatile MOK variable :-\

ChristopherRabotin commented 11 months ago

Hmm, I see. It used to work several months ago... Is the firmware locked or something? Is there a workaround?

On Tue, Aug 29, 2023, 01:46 Gary Ching-Pang Lin @.***> wrote:

It seems to me that the firmware rejected to create any non-volatile MOK variable :-\

— Reply to this email directly, view it on GitHub https://github.com/lcp/mokutil/issues/70#issuecomment-1696939638, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEZV2GN2PKCBRAZZACF26DXXWM5RANCNFSM6AAAAAA4ABFEXA . You are receiving this because you authored the thread.Message ID: @.***>

ChristopherRabotin commented 11 months ago

Here is the output of strace -f -o mokutil.strace mokutil --root-pw --import mok.der

mokutil.strace.txt

I was suggested to run this command for further debugging on this thread on OpenSuse forums.

ChristopherRabotin commented 11 months ago

I was recommended to run efivar -l which shows a lot of suspicious variables. Should I try to delete those?

8be4df61-93ca-11d2-aa0d-00e098032b8c-OsIndications
605dab50-e046-4300-abb6-3dd810dd8b23-FB_NO_REBOOT
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2F
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2E
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2D
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2C
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2B
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2A
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P29
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P28
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P27
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P26
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P25
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P24
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P23
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P22
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P21
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P20
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1F
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1E
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1D
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1C
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1B
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1A
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P19
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P18
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P17
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P16
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P15
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P14
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P13
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P12
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P11
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P10
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PF
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PE
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PD
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PC
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PB
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PA
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P9
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P8
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P7
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P6
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P5
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P4
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P3
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1
01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P0
8be4df61-93ca-11d2-aa0d-00e098032b8c-Boot0000
1358e20b-0e48-4f06-8ddd-8809b8a74d6c-DDIAG_BHISTORY
(...)
4599d26f-1a11-49b8-b91f-858745cff824-StdDefaults
cfc8fc79-be2e-4ddc-97f0-9f98bfe298a0-dump-type0-7-1-1643846333-C
cfc8fc79-be2e-4ddc-97f0-9f98bfe298a0-dump-type0-4-1-1643846333-C
cfc8fc79-be2e-4ddc-97f0-9f98bfe298a0-dump-type0-3-1-1643846333-C
cfc8fc79-be2e-4ddc-97f0-9f98bfe298a0-dump-type0-2-1-1643846333-C
cfc8fc79-be2e-4ddc-97f0-9f98bfe298a0-dump-type0-1-1-1643846333-C
(...)
lcp commented 11 months ago

So it sounds like the NVRAM is used up by those variables. Those 'dump-type0' seems to be created by systemd-pstore.service. Maybe you could further check the service and stop it from writing things into UEFI NVRAM.

ChristopherRabotin commented 10 months ago

The solution to this problem was to delete the dump-* files.