Bug 1049749 - Secure Boot Violation on live media
Summary: Secure Boot Violation on live media
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shim-signed
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-08 06:39 UTC by D.S. Ljungmark
Modified: 2014-08-19 23:26 UTC (History)
8 users (show)

(edit)
Clone Of:
: 1169363 (view as bug list)
(edit)
Last Closed: 2014-07-22 03:31:43 UTC


Attachments (Terms of Use)
Exported keys from machine (20.00 KB, application/x-tar)
2014-01-08 06:39 UTC, D.S. Ljungmark
no flags Details

Description D.S. Ljungmark 2014-01-08 06:39:13 UTC
Created attachment 846966 [details]
Exported keys from machine

Description of problem:
I get:
"Secure Boot Violation:
"Invalid signature detected. Check Secure Boot Policy in Setup"

Using Fedora-Live-Desktop-x86_64-20-1.iso

on a fresh ( Winter 2014/haswell)  Dell XPS12 laptop with Secure Boot Enabled

This is from booting, hitting F12 to select the UEFI method on the USB disk




I have tried:
using dd to write to disk
using:
livecd-iso-to-disk --reset-mbr --efi --format  


Attached are the exported variables from secure boot settings.

Comment 1 Adam Williamson 2014-01-08 06:53:50 UTC
assigning to shim-signed to get the right eyes on this...

Comment 2 D.S. Ljungmark 2014-01-08 06:57:40 UTC
Other things tested:

Ubuntu 13.10 x64 iso, Works!



( wipefs --all /dev/sde; dd if=/dev/zero of=/dev/sde bs=1M count=40; dd if=ubuntu.iso of=/dev/sde bs=512k )

Comment 3 Christoph Noack 2014-05-30 19:13:12 UTC
Same issue on an recently purchased XPS 15 (9530).

Secureboot causes "Secure Boot Violation":
* Fedora-20-x86_64-DVD.iso (download verified & burned to DVD)
* Fedora-20-x86_64-netinst.iso (download verified & burned to DVD)
Fedora-Live-Desktop-x86_64-20-1.iso (download verified & burned to DVD; dd to USB stick; Fedora liveusb-creator via Windows)
* Fedora-Live-Desktop-x86_64-19-1.iso (download verified & burned to DVD)

I also rebuilt the first image with "fix-uefi-iso.sh" mentioned at #1043274.

Existance of correct certificates checked via "UEFI Secure Boot Checkup (Windows)" by Insyde Software Corp.

Booting works fine with "Ubuntu 14.04 LTS" (burned to DVD).

Please tell me if you need more details.

Comment 4 Peter Jones 2014-05-30 20:25:55 UTC
Can you try the image at http://pjones.fedorapeople.org/Fedora-Live-Desktop-remastered-x86_64-20-1.iso ?

Comment 5 Christoph Noack 2014-05-30 22:03:42 UTC
Thanks for the fast response! Tested the image (via burning to DVD), but error remains - unfortunately.

Comment 6 Peter Jones 2014-06-03 18:44:23 UTC
Apologies, that image wasn't as modified as it should have been.  I've replaced it at the same URL - can you check again?

Comment 7 Christoph Noack 2014-06-05 19:19:13 UTC
Hi Peter! It booting works like a charm - tested again via burning the image to DVD. But I only tested the booting of the Live distribution, since I already installed F20 on my laptop without Secure Boot (using my previous DVDs).

Personal issue: What needs to be done to update/modify my given installation to work with Secure Boot like the new installer image does? (I know, Bugzilla might be the wrong place for asking for help - alternatively, where can I ask?)

Again, thanks for taking care! :-)
Christoph

Comment 8 Peter Jones 2014-06-05 20:33:18 UTC
You need to make sure pesign is in your package set, and then do this in %post from kickstart (or just run it after installation from tty2):

chroot /mnt/sysimage
pesign -i /boot/efi/EFI/fedora/shim.efi -o /tmp/shim.efi -r -u 1
cp -f /tmp/shim.efi /boot/efi/EFI/fedora/shim.efi
cp -f /tmp/shim.efi /boot/efi/EFI/BOOT/BOOTX64.EFI

Note that this is strictly a workaround for a firmware bug.

Comment 9 Fedora Update System 2014-07-18 14:39:29 UTC
shim-signed-0.7-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/shim-signed-0.7-2.fc20

Comment 10 Fedora Update System 2014-07-19 06:02:54 UTC
Package shim-signed-0.7-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shim-signed-0.7-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8513/shim-signed-0.7-2.fc20
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-07-22 03:31:43 UTC
shim-signed-0.7-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Alex Machina 2014-08-19 23:24:34 UTC
I have an Dell Inspiron 347 with Windows 8.1 pre-installed. It is set to UEFI with Secure Boot enabled.

Attempting to boot using FC20 XFCE Live CD or FC20 X86_64 DVD results in:

"Invalid Signature Detected. Check Secure Boot Policy in Setup".

Comment 11 states that fix has been pushed to Fedora 20 stable repository, so I expected this to work, since I downloaded the Fedora ISO after 2014-07-21.

Comment 13 Alex Machina 2014-08-19 23:26:14 UTC
(In reply to Alex Machina from comment #12)
> I have an Dell Inspiron 3647 with Windows 8.1 pre-installed. It is set to
> UEFI with Secure Boot enabled.
> 
> Attempting to boot using FC20 XFCE Live CD or FC20 X86_64 DVD results in:
> 
> "Invalid Signature Detected. Check Secure Boot Policy in Setup".
> 
> Comment 11 states that fix has been pushed to Fedora 20 stable repository,
> so I expected this to work, since I downloaded the Fedora ISO after
> 2014-07-21.


Note You need to log in before you can comment on or make changes to this bug.