Bug 896212

Summary: Bad vendor ships bad key databases
Product: [Fedora] Fedora Reporter: M8R-qg0edw
Component: shimAssignee: Peter Jones <pjones>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: bcl, bridgerrhammond, dennis, diego, mads, mjg59, ngaywood, pjones
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-05 09:57:39 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description M8R-qg0edw 2013-01-16 15:39:55 EST
Description of problem: Using either a live usb or simply writing the 64 bit disk image to a CD, my satellite s855 claims that the device does not have a valid secure boot signature.


Version-Release number of selected component (if applicable): This is for the new Fedora 18 (XFCE), not beta.


How reproducible: It happens every time I attempt to boot to either method of installation.


Steps to Reproduce:
1.Write image to CD.
2.Change setting to boot first to CD.
3.Boot and observe blue box with text indicating that the device did not have a valid signature and therefore secure boot stopped it.
  
Actual results:
Failure to boot device.

Expected results:
Begin installing awesome new Fedora.

Additional info: This is one of those Windows 8 preloaded machines. My school offered a bloatware-free Windows 8 Pro, and that installed just fine. I have updated the bios.
Comment 1 Matthew Garrett 2013-01-16 21:12:30 EST
This is using the 64-bit image? Are you able to test the normal install image rather than the XFCE one?
Comment 2 M8R-qg0edw 2013-01-17 01:07:57 EST
I'm certain it was the 64-bit image, but I am willing to admit that the error could definitely be on my side of the fence, as I am a novice at low-level stuff.

I only have cds, not dvds, so (just in case I was messing up USB stuff) I am trying the LXDE image next (as it will fit on a cd). Tomorrow I'll buy some DVDs and try the mainstream image. Just burning a DVD (how old-fashioned) way for the most mainstream edition should probably help.

If I disable secure boot, the live cd loads right up, so that should help clarify that it isn't like I completely fudged burning a cd.
Comment 3 M8R-qg0edw 2013-01-17 01:24:48 EST
I have also tested LXDE 64 bit. While either CD will boot up with secure boot disabled, neither will with it enabled. The computer explicitly states in either case: “Boot Failure: a proper digital signature was not found. One of the files on the select boot device was rejected by the Secure Boot feature.”.
Comment 4 Matthew Garrett 2013-01-17 07:29:37 EST
Ok, the XFCE image appears to have a signed copy of shim. Can you verify that the md5sum of the iso you have is 31786b7077f1bc5c657988f6d46a18d0 ?
Comment 5 M8R-qg0edw 2013-01-17 08:28:51 EST
The md5sum of my image is the same.
Comment 6 Matthew Garrett 2013-01-17 10:09:21 EST
Ok, just to rule out one further possibility, could you possibly try the 64-bit version of Ubuntu 12.10 as well?
Comment 7 M8R-qg0edw 2013-01-17 12:32:36 EST
Ubuntu 12.10 64 bit failed in the same fashion.
Comment 8 Matthew Garrett 2013-01-17 17:03:45 EST
Which version of the system BIOS are you running?
Comment 9 M8R-qg0edw 2013-01-17 17:12:06 EST
I am running version 6.40.
Comment 10 Matthew Garrett 2013-01-17 17:28:42 EST
Ok, the firmware definitely contains a copy of the appropriate key, the question is whether it's attempting to validate against it or not.
Comment 11 M8R-qg0edw 2013-01-17 17:40:52 EST
Maybe the exact wording of the failure helps: “Boot Failure: a proper digital signature was not found. One of the files on the select boot device was rejected by the Secure Boot feature.”

I don't know what exactly to do to help test things. (I also don't want to waste your time if it is simply my machine.) However, I can say that the machine came with the lowest level windows 8 (and associated crapware), but did allow me to install windows 8 enterprise evaluation edition, then windows 8 pro (from my school). I assume that each of those had to have their key evaluated, and that the process was successful.
Comment 12 Matthew Garrett 2013-01-17 18:00:37 EST
Ok, I took some time looking at the ROM dump - it seems that the third party key has been placed in the KEK database, not the db.
Comment 13 Matthew Garrett 2013-01-17 19:39:51 EST
Did this system ship with Windows 8? If so, did it have the Windows 8 logo on it?
Comment 14 M8R-qg0edw 2013-01-17 19:53:49 EST
It shipped with windows 8 and it has the sticker on the bottom.
Comment 15 Matthew Garrett 2013-01-17 20:07:41 EST
One of these stickers? http://cdn.arstechnica.net/wp-content/uploads/2012/12/windows-8-stickers.jpg
Comment 16 M8R-qg0edw 2013-01-17 23:26:16 EST
It has the one on the left. yes.
Comment 17 M8R-qg0edw 2013-01-22 21:32:17 EST
Toshiba tech support, who sounded about as knowledgeable as me, unfortunately, found it plausible that the key might not be in the most recent bios update. What do you mean when you say "not the db", but "in the KEK database"?
Comment 18 Matthew Garrett 2013-01-22 21:37:13 EST
There's several key databases in UEFI. Db contains the keys that are trusted for booting software, kek contains keys that are trusted for installing updates to db. Kek keys aren't trusted for booting software, so if the key is installed in the wrong database then verification will fail. I took a look at the firmware image from this device and it looks like the key is present, except in kek rather than db. This is almost certainly an error on the part of the vendor that manufactured this machine for Toshiba.
Comment 19 Matthew Garrett 2013-01-31 13:20:25 EST
This is supposedly fixed in firmware version 6.60, but you may need to contact technical support to get hold of it.
Comment 20 M8R-qg0edw 2013-02-21 09:17:28 EST
They recently released the new version. I double-checked after installing it, and indeed have that version now (6.60). 

However, neither my fedora nor sabayon disks work. They both fail just as the did previously.
Comment 21 Matthew Garrett 2013-02-21 13:54:14 EST
I've looked at the firmware image and it seems to have the right key in the right place. Just to make completely sure of this - if you put in a 64-bit Fedora 18 CD, it still gives an "Invalid signature" error?
Comment 22 M8R-qg0edw 2013-02-21 23:37:17 EST
"Boot Failure: a proper digital signature was not found. One of the files on the select boot device was rejected by the Secure Boot feature."
Comment 23 Matthew Garrett 2013-02-25 21:34:34 EST
You apparently have to update the BIOS under DOS, not using the Windows updater.
Comment 24 M8R-qg0edw 2013-06-09 22:30:08 EDT
Sorry for the delay. Life got busy. I never updated to 6.60 under dos, but I did burn 6.70 to disk and booted the computer to the disk, and flashed by typing flash from the command line and hitting enter. It was not done from windows like 6.60 was.

I get the same boot failure.

Is the update incremental such that I needed to do 6.60 properly first?
Comment 25 bridgerrhammond 2013-06-11 23:50:39 EDT
Hey everyone,

I have a Toshiba S875D-350 and have the same exact problem.
Ubuntu, Fedora(cd and dvd, regular and kde of each tested) and Opensuse all do the same thing. I have tried 18 and 19 of Fedora, and 1 version of Ubuntu/Opensuse.

I get the same exact blue blox on my system, even if I install with Secure Boot turned off, and repair-boot, and then enable it I still get the same error.

If anyone has any tips/help I would love you.

Right now I'm flashing my BIOS to the newest version to see if that helps.
Comment 26 Matthew Garrett 2013-06-11 23:59:38 EDT
Looks like it has exactly the same bug - the third party signing key is in the KEK database, not in db.
Comment 27 Fedora End Of Life 2013-12-21 05:26:17 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 28 Fedora End Of Life 2014-02-05 09:57:44 EST
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.