Bug 1049749

Summary: Secure Boot Violation on live media
Product: [Fedora] Fedora Reporter: D.S. Ljungmark <spider>
Component: shim-signedAssignee: Peter Jones <pjones>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 20CC: alex.machina, awilliam, christophnoack.forum, dominik, fabian.arrotin, mjg59, pjones, spider
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: shim-signed-0.7-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1169363 (view as bug list) Environment:
Last Closed: 2014-07-22 03:31:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Exported keys from machine none

Description D.S. Ljungmark 2014-01-08 06:39:13 UTC 
Created attachment 846966 [details]
Exported keys from machine

Description of problem:
I get:
"Secure Boot Violation:
"Invalid signature detected. Check Secure Boot Policy in Setup"

Using Fedora-Live-Desktop-x86_64-20-1.iso

on a fresh ( Winter 2014/haswell)  Dell XPS12 laptop with Secure Boot Enabled

This is from booting, hitting F12 to select the UEFI method on the USB disk




I have tried:
using dd to write to disk
using:
livecd-iso-to-disk --reset-mbr --efi --format  


Attached are the exported variables from secure boot settings.
Comment 1 Adam Williamson 2014-01-08 06:53:50 UTC 
assigning to shim-signed to get the right eyes on this...
Comment 2 D.S. Ljungmark 2014-01-08 06:57:40 UTC 
Other things tested:

Ubuntu 13.10 x64 iso, Works!



( wipefs --all /dev/sde; dd if=/dev/zero of=/dev/sde bs=1M count=40; dd if=ubuntu.iso of=/dev/sde bs=512k )
Comment 3 Christoph Noack 2014-05-30 19:13:12 UTC 
Same issue on an recently purchased XPS 15 (9530).

Secureboot causes "Secure Boot Violation":
* Fedora-20-x86_64-DVD.iso (download verified & burned to DVD)
* Fedora-20-x86_64-netinst.iso (download verified & burned to DVD)
Fedora-Live-Desktop-x86_64-20-1.iso (download verified & burned to DVD; dd to USB stick; Fedora liveusb-creator via Windows)
* Fedora-Live-Desktop-x86_64-19-1.iso (download verified & burned to DVD)

I also rebuilt the first image with "fix-uefi-iso.sh" mentioned at #1043274.

Existance of correct certificates checked via "UEFI Secure Boot Checkup (Windows)" by Insyde Software Corp.

Booting works fine with "Ubuntu 14.04 LTS" (burned to DVD).

Please tell me if you need more details.
Comment 4 Peter Jones 2014-05-30 20:25:55 UTC 
Can you try the image at http://pjones.fedorapeople.org/Fedora-Live-Desktop-remastered-x86_64-20-1.iso ?
Comment 5 Christoph Noack 2014-05-30 22:03:42 UTC 
Thanks for the fast response! Tested the image (via burning to DVD), but error remains - unfortunately.
Comment 6 Peter Jones 2014-06-03 18:44:23 UTC 
Apologies, that image wasn't as modified as it should have been.  I've replaced it at the same URL - can you check again?
Comment 7 Christoph Noack 2014-06-05 19:19:13 UTC 
Hi Peter! It booting works like a charm - tested again via burning the image to DVD. But I only tested the booting of the Live distribution, since I already installed F20 on my laptop without Secure Boot (using my previous DVDs).

Personal issue: What needs to be done to update/modify my given installation to work with Secure Boot like the new installer image does? (I know, Bugzilla might be the wrong place for asking for help - alternatively, where can I ask?)

Again, thanks for taking care! :-)
Christoph
Comment 8 Peter Jones 2014-06-05 20:33:18 UTC 
You need to make sure pesign is in your package set, and then do this in %post from kickstart (or just run it after installation from tty2):

chroot /mnt/sysimage
pesign -i /boot/efi/EFI/fedora/shim.efi -o /tmp/shim.efi -r -u 1
cp -f /tmp/shim.efi /boot/efi/EFI/fedora/shim.efi
cp -f /tmp/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI

Note that this is strictly a workaround for a firmware bug.
Comment 9 Fedora Update System 2014-07-18 14:39:29 UTC 
shim-signed-0.7-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/shim-signed-0.7-2.fc20
Comment 10 Fedora Update System 2014-07-19 06:02:54 UTC 
Package shim-signed-0.7-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shim-signed-0.7-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8513/shim-signed-0.7-2.fc20
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2014-07-22 03:31:43 UTC 
shim-signed-0.7-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Alex Machina 2014-08-19 23:24:34 UTC 
I have an Dell Inspiron 347 with Windows 8.1 pre-installed. It is set to UEFI with Secure Boot enabled.

Attempting to boot using FC20 XFCE Live CD or FC20 X86_64 DVD results in:

"Invalid Signature Detected. Check Secure Boot Policy in Setup".

Comment 11 states that fix has been pushed to Fedora 20 stable repository, so I expected this to work, since I downloaded the Fedora ISO after 2014-07-21.
Comment 13 Alex Machina 2014-08-19 23:26:14 UTC 
(In reply to Alex Machina from comment #12)
> I have an Dell Inspiron 3647 with Windows 8.1 pre-installed. It is set to
> UEFI with Secure Boot enabled.
> 
> Attempting to boot using FC20 XFCE Live CD or FC20 X86_64 DVD results in:
> 
> "Invalid Signature Detected. Check Secure Boot Policy in Setup".
> 
> Comment 11 states that fix has been pushed to Fedora 20 stable repository,
> so I expected this to work, since I downloaded the Fedora ISO after
> 2014-07-21.