Bug 1497854 - upgrade F26 - F27 fails on reboot due to missing shim.efi
Summary: upgrade F26 - F27 fails on reboot due to missing shim.efi
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shim-signed
Version: 27
Hardware: aarch64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: ARMTracker F27FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2017-10-02 21:05 UTC by Paul Whalen
Modified: 2017-12-04 20:53 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-10 19:28:33 UTC


Attachments (Terms of Use)

Description Paul Whalen 2017-10-02 21:05:30 UTC
Description of problem:
Upgrading from Fedora 26->27 fails on reboot due to missing shim.efi, now named shimaa64.efi. 

Version-Release number of selected component (if applicable):
shim-signed-13-0.6

efibootmgr -v
Boot0000* Fedora	HD(1,GPT,5c26d471-d719-4bba-b06c-130339da57d9,0x800,0x64000)/File(\EFI\fedora\shim.efi)

[root@seattle ~]# ls -l /boot/efi/EFI/fedora/
total 3712
-rwx------. 1 root root     112 Sep 20 11:33 BOOTAA64.CSV
drwx------. 2 root root    4096 Oct  2 16:35 fonts
-rwx------. 1 root root 1186552 Sep 20 16:57 grubaa64.efi
-rwx------. 1 root root    5681 Oct  2 16:39 grub.cfg
-rwx------. 1 root root    1024 Oct  2 16:39 grubenv
-rwx------. 1 root root  844808 Sep 20 11:33 mmaa64.efi
-rwx------. 1 root root  868376 Sep 20 11:33 shimaa64.efi
-rwx------. 1 root root  871184 Sep 20 11:33 shimaa64-fedora.efi

Comment 1 Fedora Update System 2017-10-04 17:09:56 UTC
shim-signed-13-0.7 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e2325fb83d

Comment 2 Paul Whalen 2017-10-05 16:47:50 UTC
fixed with shim-signed-13-0.7

Comment 3 Fedora Update System 2017-10-06 04:28:36 UTC
shim-signed-13-0.7 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e2325fb83d

Comment 4 Fedora Update System 2017-10-10 19:28:33 UTC
shim-signed-13-0.7 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Yves L'ECUYER 2017-12-04 17:16:55 UTC
(In reply to Fedora Update System from comment #4)
> shim-signed-13-0.7 has been pushed to the Fedora 27 stable repository. If
> problems still persist, please make note of it in this bug report.

Yes it was pushed in stable repository, last week on 30 November 2017 when I made my system upgrade  toward Fedora 27.
===============
Proof:
# dnf info shim-x64
Failed to synchronize cache for repo 'local', disabling.
Last metadata expiration check: 0:03:41 ago on Mon 04 Dec 2017 06:03:10 PM CET.
Installed Packages
Name         : shim-x64
Version      : 13
Release      : 0.7
Arch         : x86_64
Size         : 7.2 M
Source       : shim-signed-13-0.7.src.rpm
Repo         : @System                           (<== so => INSTALLED)
From repo    : fedora
================

AND IT DOES NOT WORK IN SECURE BOOT enabled (for dual boot purpose: Fedora/Windows2012R2) on my HP EliteBook !
AS explained with many details, on equivalent bug relative to x86_64 architecture:
https://bugzilla.redhat.com/show_bug.cgi?id=1512410

SO THERE IS A BUG in the source package itself, or more probably in the private key used to sign shimXXXXX.efi itsself, on Fedora server used to build this package!!!

Comment 6 Yves L'ECUYER 2017-12-04 17:45:26 UTC
(In reply to Yves L'ECUYER from comment #5)
> (In reply to Fedora Update System from comment #4)
> > shim-signed-13-0.7 has been pushed to the Fedora 27 stable repository. If
> > problems still persist, please make note of it in this bug report.
> 
> Yes it was pushed in stable repository, last week on 30 November 2017 when I
> made my system upgrade  toward Fedora 27.
> ===============
> Proof:
> # dnf info shim-x64
> Failed to synchronize cache for repo 'local', disabling.
> Last metadata expiration check: 0:03:41 ago on Mon 04 Dec 2017 06:03:10 PM
> CET.
> Installed Packages
> Name         : shim-x64
> Version      : 13
> Release      : 0.7
> Arch         : x86_64
> Size         : 7.2 M
> Source       : shim-signed-13-0.7.src.rpm
> Repo         : @System                           (<== so => INSTALLED)
> From repo    : fedora
> ================
> 
> AND IT DOES NOT WORK IN SECURE BOOT enabled (for dual boot purpose:
> Fedora/Windows2012R2) on my HP EliteBook !
> AS explained with many details, on equivalent bug relative to x86_64
> architecture:
> https://bugzilla.redhat.com/show_bug.cgi?id=1512410
> 
> SO THERE IS A BUG in the source package itself, or more probably in the
> private key used to sign shimXXXXX.efi itsself, on Fedora server used to
> build this package!!!

OK the context of this bug report is not the same as bug1512410
Paul Whalen was just complaining about the lacking of shim.efi in EFI file system.
This is no more the case in new package on line shim-x64-13-0.7, because for architecture x86_64 
 shim.efi and shimx64.efi, exist and have the same content:
# ll /boot/efi/EFI/fedora/shim*
-rwx------. 1 root root 1293304 Oct  4 17:39 /boot/efi/EFI/fedora/shim.efi
-rwx------. 1 root root 1293304 Oct  4 17:39 /boot/efi/EFI/fedora/shimx64.efi
-rwx------. 1 root root 1206896 Oct  4 17:39 /boot/efi/EFI/fedora/shimx64-fedora.efi

[root@encelade utils]# diff /boot/efi/EFI/fedora/shim.efi  /boot/efi/EFI/fedora/shimx64.efi
[root@encelade utils]#
===========
And I suppose that Paul is not working in a secure boot UEFI environment,
so he did not notice the problem with the signature of shim.efi itself ?

Comment 7 Yves L'ECUYER 2017-12-04 20:53:41 UTC
I made a last comment in bug report 1512410
https://bugzilla.redhat.com/show_bug.cgi?id=1512410#c33

in which I'm talking about what I have experienced.
And because Peter Jones, is the member developer team which works on some shim package update, maybe , you can help to solve this problem about
booting with shim**.efi, in secure boot environment

I have no more ideas, than the ones exposed in this last  comment pointed by link above.
Thanks for any help


Note You need to log in before you can comment on or make changes to this bug.