Bug 1497559 - "MODSIGN: Couldn't get UEFI db list"
Summary: "MODSIGN: Couldn't get UEFI db list"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-01 20:17 UTC by Christian Stadelmann
Modified: 2018-03-19 10:19 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-28 07:13:13 UTC


Attachments (Terms of Use)
dmesg on the same machine (68.63 KB, text/plain)
2017-10-01 20:17 UTC, Christian Stadelmann
no flags Details
Don't print an error on an empty certificate list (3.05 KB, patch)
2017-10-04 14:18 UTC, Peter Jones
no flags Details | Diff
Add efi_status_to_str() (4.95 KB, patch)
2017-10-04 14:19 UTC, Peter Jones
no flags Details | Diff
Make get_cert_list() use efi_status_to_str() when printing errors. (1.19 KB, patch)
2017-10-04 14:19 UTC, Peter Jones
no flags Details | Diff

Description Christian Stadelmann 2017-10-01 20:17:40 UTC
Created attachment 1333009 [details]
dmesg on the same machine

Description of problem:
On my UEFI-enabled notebook, I'm getting errors printed to syslog on every boot related to MODSIGN


Version-Release number of selected component (if applicable):
any 4.12.x kernel on Fedora 26


How reproducible:
always on this machine


Steps to Reproduce:
1. Boot Fedora 26 on a specific computer
2. after boot, have a look at syslog/dmesg


Actual results:
During early boot, I'm getting these messages, some of them marked as errors:

[…]
Loading compiled-in X.509 certificates
alg: No test for pkcs1pad(rsa,sha256) (pkcs1pad(rsa-generic,sha256))
Loaded X.509 cert 'Fedora kernel signing key: 94c955864e50de21ac073031aa5979d254c7279f'
Couldn't get size: 0x800000000000000e
MODSIGN: Couldn't get UEFI db list
Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys keyring
ACPI: Battery Slot [BAT1] (battery present)
Couldn't get size: 0x800000000000000e
MODSIGN: Couldn't get UEFI dbx list
zswap: loaded using pool lzo/zbud
[…]



Expected results:
No error messages



Additional info:
This issue was not present with the following kernel versions (all F26, x86_64)
4.11.6-301
4.11.8-300
4.11.1-300

This issue has been present with the following kernel versions:
4.12.5-300
4.12.8-300
4.12.9-300
4.12.13-300
4.12.14-300

Machine details:
This may be related to bug #1470995 and https://bugzilla.kernel.org/show_bug.cgi?id=197021.

There are no noticeable issues, but secure boot seems to be disabled according to the logs.

Efi info from dmesg:

efi: EFI v2.00 by American Megatrends
efi:  ACPI 2.0=0xdaffff98  SMBIOS=0x1c7ed40

Comment 1 Peter Jones 2017-10-04 14:17:30 UTC
Is Secure Boot disabled according to the firwmare, as well?  I suspect it is, in which case the attached patches may be worthwhile.

Comment 2 Peter Jones 2017-10-04 14:18:17 UTC
Created attachment 1334269 [details]
Don't print an error on an empty certificate list

Comment 3 Peter Jones 2017-10-04 14:19:11 UTC
Created attachment 1334270 [details]
Add efi_status_to_str()

Comment 4 Peter Jones 2017-10-04 14:19:51 UTC
Created attachment 1334271 [details]
Make get_cert_list() use efi_status_to_str() when printing errors.

Comment 5 Hans de Goede 2017-10-04 15:04:28 UTC
In case anyone else wants to test this, here is a scratch build of the latest Fedora kernel with these patches applied:

https://fedorapeople.org/~jwrdegoede/rhbz1497559/

I can confirm that these patches fix the error messages for me.

To test, download all files (except the .src.rpm) to a directory and from that
directory run:

sudo rpm -ivh kernel*.rpm

Note -ivh not -Uvh so that you keep your current working kernel.

Then reboot into the new kernel and the errors should be gone.

Comment 6 Christian Stadelmann 2017-10-04 19:54:55 UTC
(In reply to Peter Jones from comment #1)
> Is Secure Boot disabled according to the firwmare, as well?  I suspect it
> is, in which case the attached patches may be worthwhile.

The setup util (which looks and feels like any old BIOS) does not say anything about secure boot, so it probably does not support that. The software identifies itself as
> Aptio Setup Utility – Copyright (C) 2010 American Megatrends, Inc.

in the header and 
> SAMSUNG Electronic BIOS Team u5.4 c2.10.1208

in the footer.


The device has been produced in September 2012 and was shipped with Windows 7 Pro OA, in case that matters.

Comment 7 Pasquale Iannuzzi 2017-10-29 12:04:35 UTC
(In reply to Hans de Goede from comment #5)
> In case anyone else wants to test this, here is a scratch build of the
> latest Fedora kernel with these patches applied:
> 
> https://fedorapeople.org/~jwrdegoede/rhbz1497559/
> 
> I can confirm that these patches fix the error messages for me.
> 
> To test, download all files (except the .src.rpm) to a directory and from
> that
> directory run:
> 
> sudo rpm -ivh kernel*.rpm
> 
> Note -ivh not -Uvh so that you keep your current working kernel.
> 
> Then reboot into the new kernel and the errors should be gone.

I'm experiencing the same issue for a while, having tested the patched kernel I can confirm that at startup I don't see the error message.

Comment 8 Christian Stadelmann 2017-11-01 16:34:47 UTC
(In reply to Hans de Goede from comment #5)
> In case anyone else wants to test this, here is a scratch build of the
> latest Fedora kernel with these patches applied:
> 
> https://fedorapeople.org/~jwrdegoede/rhbz1497559/

Works fine and the error message is gone now.

Comment 9 Yaroslav Nikitenko 2017-11-16 17:32:09 UTC
The patch worked for me as well. 

Unfortunately recent kernel releases don't include that (I had kernel version newer than this patch and installed that with rpm --force). Could that be incorporated into new kernels?

Comment 10 Giovanni Grieco 2017-12-08 18:14:44 UTC
(In reply to Hans de Goede from comment #5)
> In case anyone else wants to test this, here is a scratch build of the
> latest Fedora kernel with these patches applied:
> 
> https://fedorapeople.org/~jwrdegoede/rhbz1497559/
> 
> I can confirm that these patches fix the error messages for me.
>

These patches work but they didn't made to the official kernel yet. Is it possible to add them? 

Tested under Apple iMac 12,2 and Apple MacBookPro 12,1. Both are affected by this bug.

I've rebuilt the latest available kernel by adding the following patches from Hans' SRPM:
- 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
- 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
- 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch

Results are available on Koji: https://koji.fedoraproject.org/koji/taskinfo?taskID=23592039

If I may be any more helpful, please let me know.
Cheers.

Comment 11 Giovanni Grieco 2017-12-10 15:29:00 UTC
(In reply to Giovanni Grieco from comment #10)
> they didn't made to the official kernel yet. Is it
> possible to add them? 
> 

Oops, just checked linux-4.14.4-300. It is all OK, sorry.

Comment 12 Gurenko Alex 2017-12-19 20:03:15 UTC
I'm still seeing this problem on 4.14.6-300.fc27.x86_64 kernel. Is it only fixed in F26 branch?

Comment 13 Glenn Bradford 2017-12-20 19:00:25 UTC
(In reply to Gurenko Alex from comment #12)
> I'm still seeing this problem on 4.14.6-300.fc27.x86_64 kernel. Is it only
> fixed in F26 branch?

Not fixed in F26. Still seeing this on my Lenovo X220 with latest kernel-4.14.6-200.fc26

Comment 14 cpacchierotti 2018-01-03 12:36:19 UTC
I still see this error on my HP EliteBook G3, kernel 4.14.8-300.fc27.x86_64

Comment 15 Peter Jones 2018-01-10 17:26:09 UTC
I've pushed these patches to the kernel repos for F26, F27, and rawhide, so they should be fixed in the next builds.

Comment 16 Ozkan Sezer 2018-01-11 07:12:35 UTC
(In reply to Peter Jones from comment #15)
> I've pushed these patches to the kernel repos for F26, F27, and rawhide, so
> they should be fixed in the next builds.

The f26 version of MODSIGN patches seem to have gone into a wrong branch,
i.e. '26' instead of 'f26'

Comment 17 ValdikSS 2018-01-11 13:21:00 UTC
Fixed in kernel-4.14.13-300.fc27.
https://bodhi.fedoraproject.org/updates/FEDORA-2018-21a7ad920c

Comment 18 Mustafa Mehmed 2018-01-13 04:56:48 UTC
Fixed in kernel-4.14.13-300.fc27.

Comment 19 Mustafa Mehmed 2018-01-13 04:57:07 UTC
Fixed in kernel-4.14.13-300.fc27.

Comment 20 Laura Abbott 2018-02-28 03:40:01 UTC
We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale. The kernel moves very fast so bugs may get fixed as part of a kernel update. Due to this, we are doing a mass bug update across all of the Fedora 26 kernel bugs.
 
Fedora 26 has now been rebased to 4.15.4-200.fc26.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.
 
If you have moved on to Fedora 27, and are still experiencing this issue, please change the version to Fedora 27.
 
If you experience different issues, please open a new bug report for those.

Comment 21 Christian Stadelmann 2018-02-28 07:13:13 UTC
This issue has been seen last with kernel 4.14.11 on 2018-01-20, but not with kernel 4.14.13 or later. Thank you for fixing this issue!

Comment 22 Giovanni Grieco 2018-03-18 18:52:02 UTC
I noticed that I got this error again on a fresh new install of Fedora 27 with kernel 4.15.9-300.fc27.x86_64. As stated by Christian, this error was solved in past kernel versions.

Here is an excerpt of dmesg output:
```
[    1.140951] Loading compiled-in X.509 certificates
[    1.181095] Loaded X.509 cert 'Fedora kernel signing key: 7bf71b7aa6845adff2b1cf1f1968839d5134fb7e'
[    1.189613] Couldn't get size: 0x800000000000000e
[    1.189647] MODSIGN: Couldn't get UEFI db list
[    1.198433] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys keyring
[    1.202714] Couldn't get size: 0x800000000000000e
[    1.202734] MODSIGN: Couldn't get UEFI dbx list
```

Comment 23 Christian Stadelmann 2018-03-18 19:56:33 UTC
(In reply to Giovanni Grieco from comment #22)
> I noticed that I got this error again on a fresh new install of Fedora 27
> with kernel 4.15.9-300.fc27.x86_64. As stated by Christian, this error was
> solved in past kernel versions.

I don't reproduce this on the same kernel version. Shall I reopen bug report or will you create a new one?

Comment 24 Giovanni Grieco 2018-03-19 10:19:14 UTC
(In reply to Christian Stadelmann from comment #23)
> I don't reproduce this on the same kernel version. Shall I reopen bug report
> or will you create a new one?

I think it's better if I open a new one, I've just self-compiled latest 4.15.10 from f27 branch and the error doesn't occur anymore.

Thank you.


Note You need to log in before you can comment on or make changes to this bug.