Bug 1344512 - [UEFI][DELL Precison M6800] unable to boot Windows 10 - no shim lock protocol
Summary: [UEFI][DELL Precison M6800] unable to boot Windows 10 - no shim lock protocol
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: grub2
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: RejectedBlocker
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-09 20:39 UTC by Shawn Starr
Modified: 2016-06-14 08:40 UTC (History)
10 users (show)

Fixed In Version: grub2-2.02-0.34.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-14 08:40:58 UTC
Type: Bug


Attachments (Terms of Use)
boot error (2.56 MB, image/jpeg)
2016-06-09 20:39 UTC, Shawn Starr
no flags Details
Booting with message - still boots OK - Secure Boot ENABLED (2.72 MB, image/jpeg)
2016-06-09 22:46 UTC, Shawn Starr
no flags Details

Description Shawn Starr 2016-06-09 20:39:05 UTC
Created attachment 1166428 [details]
boot error

Description of problem:

- I have SecureBoot disabled in BIOS.

After upgrading to beta Fedora 24 from 23, grub2 no longer boots Windows 10 (for games).

Version-Release number of selected component (if applicable):
grub2-2.02-0.33.fc24.x86_64 (newest version in koji as of today)

How reproducible: 100%


Steps to Reproduce:
1. Upgrade from Fedora 23 -> Fedora 24 beta/RC
2. Reboot, unable to boot Windows 10.

Actual results:
Fails (See attached screenshot)

Expected results:
Boots OS

Additional info:
This also shows 'no shim lock protocol' booting Linux but it continues to boot after prompting.

Comment 1 Shawn Starr 2016-06-09 20:41:47 UTC
Workaround available: I can use Dell BIOS UEFI menu boot prompt to boot Windows 10 normally, just not via grub2.

Comment 2 Adam Williamson 2016-06-09 21:02:34 UTC
See also:

https://bugs.mageia.org/show_bug.cgi?id=18389

not sure if that's any help, but...they reference a SUSE advisory:

http://lists.suse.com/pipermail/sle-security-updates/2015-December/001770.html

which lists a change "Do not use shim lock protocol for reading PE header as it won't be available when secure boot is disabled. (bsc#943380)"

Comment 3 Fedora Blocker Bugs Application 2016-06-09 21:08:26 UTC
Proposed as a Blocker for 24-final by Fedora user pwalter using the blocker tracking app because:

 violation of "The installer must be able to install into free space alongside an existing clean Windows installation and install a bootloader which can boot into both Windows and Fedora."

Comment 4 Adam Williamson 2016-06-09 21:20:13 UTC
So far our best guess is that this fails when chainloading Windows (10? or all?) with Secure Boot disabled, but it'd be great to get more testing to confirm or deny that.

Comment 5 Shawn Starr 2016-06-09 21:54:23 UTC
Enabling Secure Boot, no grub2 prompts are shown, the laptop boots directly into Windows 10 only.

Comment 6 Adam Williamson 2016-06-09 21:57:36 UTC
That sounds like you also switched to the Windows UEFI boot manager entry at the same time.

Comment 7 Shawn Starr 2016-06-09 22:45:55 UTC
So I have this sort of fixed - except the odd boot of Windows 10 with SB *disabled* -

Turned Secure Boot on:

1) I noticed the Dell UEFI boot entry in fedora was 'fedora' not Fedora - Fedora 22/23 laptop originally

2) I disabled all entries except 'fedora', got an error saying the boot loader signature was not valid (it appears it was using grubx64.efi in the BIOS listing)


Turned Secure Boot off:

3) Removed 'fedora' from list, had UEFI only use the UEFI: hard disk model boot option, this booted grub2, Linux/Windows w/o shim error.

4) I went BACK into BIOS and saw a NEW entry 'Fedora' and it had shim.efi, with this, I booted Linux/Windows 10 ok (see another attachment for the output however which looks wrong - Should show Windows or Dell Logo not ACPI message)

Turned Secure Boot ON

5) Was able to boot grub2, not Linux kernel (since this is not a signed kernel got a double free error etc), Windows 10 booted just fine. 


Note: When I upgraded from Fedora 23 -> 24 i had the shim protocol failure error.
I also did run grub2-install (which I now know you should not). So I have repaired the EFI boot since it points to shim.efi now.


Attached is picture of the booting of Windows 10 with shim.efi used and SB disabled

Comment 8 Shawn Starr 2016-06-09 22:46:58 UTC
Created attachment 1166434 [details]
Booting with message - still boots OK - Secure Boot ENABLED

Comment 9 Shawn Starr 2016-06-09 23:00:49 UTC
The message appears to be new(?) but I do get the Dell/Windows logo now that appears very quickly however (maybe just noise?)

I wonder if the NVRAM entry was corrupt prior and somehow this triggered all of this?

Comment 10 Shawn Starr 2016-06-09 23:29:39 UTC
I am not sure this is a blocker, because too many moving parts here. Its fixed for me now.

Except the added string notice I see which is just verbose.

Comment 11 Chris Murphy 2016-06-12 22:40:15 UTC
Shawn can you update to
 	grub2-efi-2.02-0.34.fc24.x86_64.rpm
	grub2-efi-modules-2.02-0.34.fc24.x86_64.rpm
	grub2-tools-2.02-0.34.fc24.x86_64.rpm
http://koji.fedoraproject.org/koji/buildinfo?buildID=771914

Don't use grub2-install after installing these, just test secure boot enabled and disabled and report back. I'd say grub2-install is sufficiently not out of the box on UEFI that it's not a blocker since it installs a rather different behaving grubx64.efi and also sets its own NVRAM boot entry.

Comment 12 Fedora Update System 2016-06-13 14:38:51 UTC
grub2-2.02-0.33.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4d43baacc

Comment 13 Fedora Update System 2016-06-13 14:41:35 UTC
grub2-2.02-0.33.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4d43baacc

Comment 14 Fedora Update System 2016-06-13 14:44:55 UTC
grub2-2.02-0.33.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4d43baacc

Comment 15 Fedora Update System 2016-06-13 15:58:43 UTC
grub2-2.02-0.33.fc24, grub2-2.02-0.34.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4d43baacc

Comment 16 Petr Schindler 2016-06-13 17:21:47 UTC
Discussed at 2016-06-13 blocker review meeting: [1]. 

This bug was rejected as Final blocker: from current data this seems to have been a sort of transient bug dating back to F22 UEFI boot manager configuration, no solid indication that it violates the criteria

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-06-13/f24-blocker-review.2016-06-13-16.04.html

Comment 17 Shawn Starr 2016-06-14 03:29:56 UTC
Tested:

SB: Windows 10 boots w/o ACPI message, no errors on booting
SB: Fedora signed kernel boots successfully

(SB: Fedora unsigned kernel shows 'double free' error from grub2 (press any key, does not take you back to Grub menu but boots Windows 10). - Not in scope of this ticket)

non-SB: Windows 10 boots w/o ACPI message, no errors on booting
non-SB: Fedora signed kernel boots successfully.
non-SB: Fedora unsigned kernel boots successfully.

This is now resolved.

Comment 18 Shawn Starr 2016-06-14 03:30:23 UTC
I will give karma to the RPMs now.

Comment 19 Fedora Update System 2016-06-14 08:40:20 UTC
grub2-2.02-0.34.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.