Bug 1049749
Summary: | Secure Boot Violation on live media | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | D.S. Ljungmark <spider> | ||||
Component: | shim-signed | Assignee: | Peter Jones <pjones> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 20 | CC: | alex.machina, awilliam, christophnoack.forum, dominik, fabian.arrotin, mjg59, pjones, spider | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | shim-signed-0.7-2.fc20 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1169363 (view as bug list) | Environment: | |||||
Last Closed: | 2014-07-22 03:31:43 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
assigning to shim-signed to get the right eyes on this... Other things tested: Ubuntu 13.10 x64 iso, Works! ( wipefs --all /dev/sde; dd if=/dev/zero of=/dev/sde bs=1M count=40; dd if=ubuntu.iso of=/dev/sde bs=512k ) Same issue on an recently purchased XPS 15 (9530). Secureboot causes "Secure Boot Violation": * Fedora-20-x86_64-DVD.iso (download verified & burned to DVD) * Fedora-20-x86_64-netinst.iso (download verified & burned to DVD) Fedora-Live-Desktop-x86_64-20-1.iso (download verified & burned to DVD; dd to USB stick; Fedora liveusb-creator via Windows) * Fedora-Live-Desktop-x86_64-19-1.iso (download verified & burned to DVD) I also rebuilt the first image with "fix-uefi-iso.sh" mentioned at #1043274. Existance of correct certificates checked via "UEFI Secure Boot Checkup (Windows)" by Insyde Software Corp. Booting works fine with "Ubuntu 14.04 LTS" (burned to DVD). Please tell me if you need more details. Can you try the image at http://pjones.fedorapeople.org/Fedora-Live-Desktop-remastered-x86_64-20-1.iso ? Thanks for the fast response! Tested the image (via burning to DVD), but error remains - unfortunately. Apologies, that image wasn't as modified as it should have been. I've replaced it at the same URL - can you check again? Hi Peter! It booting works like a charm - tested again via burning the image to DVD. But I only tested the booting of the Live distribution, since I already installed F20 on my laptop without Secure Boot (using my previous DVDs). Personal issue: What needs to be done to update/modify my given installation to work with Secure Boot like the new installer image does? (I know, Bugzilla might be the wrong place for asking for help - alternatively, where can I ask?) Again, thanks for taking care! :-) Christoph You need to make sure pesign is in your package set, and then do this in %post from kickstart (or just run it after installation from tty2): chroot /mnt/sysimage pesign -i /boot/efi/EFI/fedora/shim.efi -o /tmp/shim.efi -r -u 1 cp -f /tmp/shim.efi /boot/efi/EFI/fedora/shim.efi cp -f /tmp/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI Note that this is strictly a workaround for a firmware bug. shim-signed-0.7-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/shim-signed-0.7-2.fc20 Package shim-signed-0.7-2.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing shim-signed-0.7-2.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8513/shim-signed-0.7-2.fc20 then log in and leave karma (feedback). shim-signed-0.7-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. I have an Dell Inspiron 347 with Windows 8.1 pre-installed. It is set to UEFI with Secure Boot enabled. Attempting to boot using FC20 XFCE Live CD or FC20 X86_64 DVD results in: "Invalid Signature Detected. Check Secure Boot Policy in Setup". Comment 11 states that fix has been pushed to Fedora 20 stable repository, so I expected this to work, since I downloaded the Fedora ISO after 2014-07-21. (In reply to Alex Machina from comment #12) > I have an Dell Inspiron 3647 with Windows 8.1 pre-installed. It is set to > UEFI with Secure Boot enabled. > > Attempting to boot using FC20 XFCE Live CD or FC20 X86_64 DVD results in: > > "Invalid Signature Detected. Check Secure Boot Policy in Setup". > > Comment 11 states that fix has been pushed to Fedora 20 stable repository, > so I expected this to work, since I downloaded the Fedora ISO after > 2014-07-21. |
Created attachment 846966 [details] Exported keys from machine Description of problem: I get: "Secure Boot Violation: "Invalid signature detected. Check Secure Boot Policy in Setup" Using Fedora-Live-Desktop-x86_64-20-1.iso on a fresh ( Winter 2014/haswell) Dell XPS12 laptop with Secure Boot Enabled This is from booting, hitting F12 to select the UEFI method on the USB disk I have tried: using dd to write to disk using: livecd-iso-to-disk --reset-mbr --efi --format Attached are the exported variables from secure boot settings.