Created attachment 1333009 [details] dmesg on the same machine Description of problem: On my UEFI-enabled notebook, I'm getting errors printed to syslog on every boot related to MODSIGN Version-Release number of selected component (if applicable): any 4.12.x kernel on Fedora 26 How reproducible: always on this machine Steps to Reproduce: 1. Boot Fedora 26 on a specific computer 2. after boot, have a look at syslog/dmesg Actual results: During early boot, I'm getting these messages, some of them marked as errors: […] Loading compiled-in X.509 certificates alg: No test for pkcs1pad(rsa,sha256) (pkcs1pad(rsa-generic,sha256)) Loaded X.509 cert 'Fedora kernel signing key: 94c955864e50de21ac073031aa5979d254c7279f' Couldn't get size: 0x800000000000000e MODSIGN: Couldn't get UEFI db list Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys keyring ACPI: Battery Slot [BAT1] (battery present) Couldn't get size: 0x800000000000000e MODSIGN: Couldn't get UEFI dbx list zswap: loaded using pool lzo/zbud […] Expected results: No error messages Additional info: This issue was not present with the following kernel versions (all F26, x86_64) 4.11.6-301 4.11.8-300 4.11.1-300 This issue has been present with the following kernel versions: 4.12.5-300 4.12.8-300 4.12.9-300 4.12.13-300 4.12.14-300 Machine details: This may be related to bug #1470995 and https://bugzilla.kernel.org/show_bug.cgi?id=197021. There are no noticeable issues, but secure boot seems to be disabled according to the logs. Efi info from dmesg: efi: EFI v2.00 by American Megatrends efi: ACPI 2.0=0xdaffff98 SMBIOS=0x1c7ed40
Is Secure Boot disabled according to the firwmare, as well? I suspect it is, in which case the attached patches may be worthwhile.
Created attachment 1334269 [details] Don't print an error on an empty certificate list
Created attachment 1334270 [details] Add efi_status_to_str()
Created attachment 1334271 [details] Make get_cert_list() use efi_status_to_str() when printing errors.
In case anyone else wants to test this, here is a scratch build of the latest Fedora kernel with these patches applied: https://fedorapeople.org/~jwrdegoede/rhbz1497559/ I can confirm that these patches fix the error messages for me. To test, download all files (except the .src.rpm) to a directory and from that directory run: sudo rpm -ivh kernel*.rpm Note -ivh not -Uvh so that you keep your current working kernel. Then reboot into the new kernel and the errors should be gone.
(In reply to Peter Jones from comment #1) > Is Secure Boot disabled according to the firwmare, as well? I suspect it > is, in which case the attached patches may be worthwhile. The setup util (which looks and feels like any old BIOS) does not say anything about secure boot, so it probably does not support that. The software identifies itself as > Aptio Setup Utility – Copyright (C) 2010 American Megatrends, Inc. in the header and > SAMSUNG Electronic BIOS Team u5.4 c2.10.1208 in the footer. The device has been produced in September 2012 and was shipped with Windows 7 Pro OA, in case that matters.
(In reply to Hans de Goede from comment #5) > In case anyone else wants to test this, here is a scratch build of the > latest Fedora kernel with these patches applied: > > https://fedorapeople.org/~jwrdegoede/rhbz1497559/ > > I can confirm that these patches fix the error messages for me. > > To test, download all files (except the .src.rpm) to a directory and from > that > directory run: > > sudo rpm -ivh kernel*.rpm > > Note -ivh not -Uvh so that you keep your current working kernel. > > Then reboot into the new kernel and the errors should be gone. I'm experiencing the same issue for a while, having tested the patched kernel I can confirm that at startup I don't see the error message.
(In reply to Hans de Goede from comment #5) > In case anyone else wants to test this, here is a scratch build of the > latest Fedora kernel with these patches applied: > > https://fedorapeople.org/~jwrdegoede/rhbz1497559/ Works fine and the error message is gone now.
The patch worked for me as well. Unfortunately recent kernel releases don't include that (I had kernel version newer than this patch and installed that with rpm --force). Could that be incorporated into new kernels?
(In reply to Hans de Goede from comment #5) > In case anyone else wants to test this, here is a scratch build of the > latest Fedora kernel with these patches applied: > > https://fedorapeople.org/~jwrdegoede/rhbz1497559/ > > I can confirm that these patches fix the error messages for me. > These patches work but they didn't made to the official kernel yet. Is it possible to add them? Tested under Apple iMac 12,2 and Apple MacBookPro 12,1. Both are affected by this bug. I've rebuilt the latest available kernel by adding the following patches from Hans' SRPM: - 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch - 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch - 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch Results are available on Koji: https://koji.fedoraproject.org/koji/taskinfo?taskID=23592039 If I may be any more helpful, please let me know. Cheers.
(In reply to Giovanni Grieco from comment #10) > they didn't made to the official kernel yet. Is it > possible to add them? > Oops, just checked linux-4.14.4-300. It is all OK, sorry.
I'm still seeing this problem on 4.14.6-300.fc27.x86_64 kernel. Is it only fixed in F26 branch?
(In reply to Gurenko Alex from comment #12) > I'm still seeing this problem on 4.14.6-300.fc27.x86_64 kernel. Is it only > fixed in F26 branch? Not fixed in F26. Still seeing this on my Lenovo X220 with latest kernel-4.14.6-200.fc26
I still see this error on my HP EliteBook G3, kernel 4.14.8-300.fc27.x86_64
I've pushed these patches to the kernel repos for F26, F27, and rawhide, so they should be fixed in the next builds.
(In reply to Peter Jones from comment #15) > I've pushed these patches to the kernel repos for F26, F27, and rawhide, so > they should be fixed in the next builds. The f26 version of MODSIGN patches seem to have gone into a wrong branch, i.e. '26' instead of 'f26'
Fixed in kernel-4.14.13-300.fc27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-21a7ad920c
Fixed in kernel-4.14.13-300.fc27.
We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. The kernel moves very fast so bugs may get fixed as part of a kernel update. Due to this, we are doing a mass bug update across all of the Fedora 26 kernel bugs. Fedora 26 has now been rebased to 4.15.4-200.fc26. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 27, and are still experiencing this issue, please change the version to Fedora 27. If you experience different issues, please open a new bug report for those.
This issue has been seen last with kernel 4.14.11 on 2018-01-20, but not with kernel 4.14.13 or later. Thank you for fixing this issue!
I noticed that I got this error again on a fresh new install of Fedora 27 with kernel 4.15.9-300.fc27.x86_64. As stated by Christian, this error was solved in past kernel versions. Here is an excerpt of dmesg output: ``` [ 1.140951] Loading compiled-in X.509 certificates [ 1.181095] Loaded X.509 cert 'Fedora kernel signing key: 7bf71b7aa6845adff2b1cf1f1968839d5134fb7e' [ 1.189613] Couldn't get size: 0x800000000000000e [ 1.189647] MODSIGN: Couldn't get UEFI db list [ 1.198433] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys keyring [ 1.202714] Couldn't get size: 0x800000000000000e [ 1.202734] MODSIGN: Couldn't get UEFI dbx list ```
(In reply to Giovanni Grieco from comment #22) > I noticed that I got this error again on a fresh new install of Fedora 27 > with kernel 4.15.9-300.fc27.x86_64. As stated by Christian, this error was > solved in past kernel versions. I don't reproduce this on the same kernel version. Shall I reopen bug report or will you create a new one?
(In reply to Christian Stadelmann from comment #23) > I don't reproduce this on the same kernel version. Shall I reopen bug report > or will you create a new one? I think it's better if I open a new one, I've just self-compiled latest 4.15.10 from f27 branch and the error doesn't occur anymore. Thank you.