Bug 1451071 - Secure boot flag could not be determined
Summary: Secure boot flag could not be determined
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 26
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F26FinalBlocker F26FinalFreezeException 1465517
TreeView+ depends on / blocked
Reported: 2017-05-15 17:08 UTC by dherault
Modified: 2017-06-29 23:28 UTC (History)
16 users (show)

Fixed In Version: grub-2.02-0.40.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1465517 (view as bug list)
Last Closed: 2017-06-29 23:28:34 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1418360 0 unspecified CLOSED grub2 incorrectly initialises the boot_params from the kernel image 2021-02-22 00:41:40 UTC

Internal Links: 1418360

Description dherault 2017-05-15 17:08:08 UTC
Secure boot is activated in the bios and i can boot without issue.

But dmesg output is :
dmesg -t | grep -i 'edk\|secure'
Secure boot could not be determined

While normally it should be:
Secure boot enabled and kernel locked down

Kernel 4.11.0-2.fc26.x86_64
Bootloader : Grub2

Comment 1 David Howells 2017-05-16 12:55:21 UTC
What grub version do you have?  There's a bug in grub that might be the culprit (bug 1418360).

Comment 2 dherault 2017-05-16 13:55:28 UTC
The last one : 1:2.02-0.38.fc26
I have at boot a EFI stub message that informs me that secure boot is enabled. But no kernel lockdown for dmesg.

Maybe the problem is for me related to the fact that I activated secure boot after the installation of the system?

efibootmgr -v
BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0001,0000,0005
Boot0000* Windows Boot Manager	HD(2,GPT,e3179291-056a-448c-a5a1-ba56fb60e852,0xe1800,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.}...7................
Boot0001* Fedora	HD(1,GPT,fe1e748e-4c4a-4791-b11f-3865772b4ce3,0x800,0x2f800)/File(\EFI\FEDORA\SHIM.EFI)
Boot0005* UEFI OS	HD(1,GPT,fe1e748e-4c4a-4791-b11f-3865772b4ce3,0x800,0x2f800)/File(\EFI\BOOT\BOOTX64.EFI)

Secureboot efivar is present, but not SecurebootEnforce... 
ls  /sys/firmware/efi/efivars/ |grep Secure*


Comment 3 dherault 2017-05-18 09:56:09 UTC
Kernel updated to 4.11.1-300.fc26.x86_64 : 
Same issue
dmesg |grep Secur*
[    0.000000] Secure boot could not be determined

If it can be useful :
bootctl status
Using EFI System Partition at /boot/efi.
     Firmware: n/a (n/a)
  Secure Boot: enabled
   Setup Mode: user

      Product: n/a
    Partition: n/a
         File: └─n/a

Boot Loader Binaries:
          ESP: /dev/disk/by-partuuid/fe1e748e-4c4a-4791-b11f-3865772b4ce3
systemd-boot not installed in ESP.
         File: └─/EFI/BOOT/BOOTX64.EFI

Boot Loader Entries in EFI Variables:
        Title: Fedora
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/fe1e748e-4c4a-4791-b11f-3865772b4ce3
         File: └─/EFI/FEDORA/SHIM.EFI

        Title: Windows Boot Manager
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/e3179291-056a-448c-a5a1-ba56fb60e852

        Title: UEFI OS
           ID: 0x0005
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/fe1e748e-4c4a-4791-b11f-3865772b4ce3
         File: └─/EFI/BOOT/BOOTX64.EFI

Comment 4 dherault 2017-05-19 07:44:27 UTC
Tried to reinstall grub-efi but same issue :

sudo dnf reinstall grub2-efi grub2-efi-modules shim
sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Comment 5 David Howells 2017-05-24 12:51:17 UTC
The bug has not yet been fixed in grub.

Comment 6 hanishkvc 2017-06-05 13:19:06 UTC
Any specific reason why this bug is still not resolved? Also isn't there a bug in kernel also.

Looking at the note given in struct boot_param, as well as how the efi boot wrapper within in the kernel is using some part of the boot_param to set its own parameters, after it has got control from the original bootloader, why is the sanitize_boot_params WRONGLY reseting parameters which are (or can be as is the case here) set outside/after the bootloader.

Other than fixing the blind and potentially wrong copying of parameters area into boot_param by grub. The kernel should also be fixed to have some additional parameter to check if bootloader has set the secure boot related params or the kernel's efi boot wrapper has set it, and then sanitize only if required.

OR am I missing something here?

Comment 7 dherault 2017-06-21 08:55:23 UTC
Same issue kernel 4.11.5-300 FC26 beta.

I do not have the impression that this bug is moving to be fixed. If the grub team is the only one competent, is their informed of this bug? 
Replacing grub with a signed systemd-boot could help solve the problem. But I do not know if it's in the pipes...

Comment 8 Fedora Update System 2017-06-26 21:27:56 UTC
grub2-2.02-0.40.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-01b07bc086

Comment 9 Fedora Blocker Bugs Application 2017-06-26 21:33:27 UTC
Proposed as a Blocker and Freeze Exception for 26-final by Fedora user pjones using the blocker tracking app because:

 Without this we can't verify from inside the OS that Secure Boot is enabled.

Comment 10 Dominik 'Rathann' Mierzejewski 2017-06-27 10:15:23 UTC
(In reply to Fedora Update System from comment #8)
> grub2-2.02-0.40.fc26 has been submitted as an update to Fedora 26.
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-01b07bc086

What about F25? The issue occurs there as well.

Comment 11 Fedora Update System 2017-06-27 20:25:00 UTC
grub2-2.02-0.40.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-01b07bc086

Comment 12 Adam Williamson 2017-06-28 21:51:36 UTC
Same question as the other bug: Would the fix for this take effect after a normal update of grub2, or is there some reason the fix for this needs to appear in the frozen release package set?

Also, presumably *both* fixes are needed?

Comment 13 Adam Williamson 2017-06-29 19:11:12 UTC
For the record, pjones added further information by email:

"basically Secure Boot doesn't trigger kmod signature checking, read-only /dev/mem, etc., in the current trees. This update fixes a grub bug that's triggering that behavior in the newer kernels, but was not triggering it in the older ones."

AIUI, "kmod signature checking, read-only /dev/mem, etc." refers to various measures that are taken by the kernel when SB is known to be enabled, intended to defeat attempts to circumvent SB by e.g. loading a nefarious kernel module. So if I understand correctly, this is effectively a security issue (as it reduces the effectiveness of SB protections on systems which are using SB).

With that in mind: Discussed at 2017-06-29 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . We agreed to at least accept this (and the companion bug #1418360) as freeze exception issues, which should be sufficient to ensure they're resolved in Final as the fixes are already available. We considered also accepting them as blockers under the "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." criterion, but as this issue isn't *formally* a security issue at least yet, and doesn't have a formal security evaluation, and FE status should be sufficient to get the fixes in anyhow, we decided to leave blocker status undetermined for now. FESCo may choose to make these bugs blockers by fiat.

Comment 14 Fedora Update System 2017-06-29 23:28:34 UTC
grub2-2.02-0.40.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.