2062569 – Mok* and SbatLevelRT variables is not available/visible on VMWare systems

Bug 2062569 - Mok* and SbatLevelRT variables is not available/visible on VMWare systems

Summary: Mok* and SbatLevelRT variables is not available/visible on VMWare systems

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	shim-unsigned-x64
Sub Component:
Version:	8.5
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Bootloader engineering team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-10 07:14 UTC by Renaud Métrich
Modified:	2023-08-11 07:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:	shim-15.5-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Shim verbose log showing initial SbatLevelRT assignment on VMWare (117.20 KB, image/png) 2022-03-10 07:16 UTC, Renaud Métrich	no flags	Details
Shim verbose log showing second SbatLevelRT assignment on VMWare (114.86 KB, image/png) 2022-03-10 07:17 UTC, Renaud Métrich	no flags	Details
Shim verbose log on KVM (12.17 KB, text/plain) 2022-03-10 07:18 UTC, Renaud Métrich	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-115101	0	None	None	None	2022-03-10 07:29:00 UTC

Description Renaud Métrich 2022-03-10 07:14:39 UTC

Description of problem:

Listing the variables using "efivar -l", on VMWare systems, there seem to be no Mok* variable available or visible:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# efivar -l | egrep "(Mok|Sbat)"
#
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The variables are only present in /sys/firmware/efi/mok-variables directory:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ls -l /sys/firmware/efi/mok-variables/
total 0
-r--------. 1 root root   0 Mar 10 01:42 MokIgnoreDB
-r--------. 1 root root 964 Mar 10 01:42 MokListRT
-r--------. 1 root root  76 Mar 10 01:42 MokListXRT
-r--------. 1 root root   0 Mar 10 01:42 MokSBStateRT
-r--------. 1 root root  18 Mar 10 01:42 SbatLevelRT
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Trying to understand why this happens, while booting in Verbose mode, I can see a difference between my KVM system and VMWare system:

- KVM

    -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
    mok.c:936:import_one_mok_state() maybe mirroring "SbatLevel".  original data:
    mok.c:937:import_one_mok_state() 00000000  XX XX XX XX XX XX XX XX  73 62 61 74 2c 31 2c 32  XXXXXXXX|sbat,1,2|
    mok.c:937:import_one_mok_state() 00000008  30 32 31 30 33 30 32 31  38 0a XX XX XX XX XX XX  |021030218.|
    mok.c:640:mirror_one_mok_variable() v->name:"SbatLevel" v->rtname:"SbatLevelRT"
     :
    mok.c:791:mirror_one_mok_variable() SetVariable("SbatLevelRT", ... varsz=0x12) = Success
    mok.c:836:mirror_one_mok_variable() returning Success
     :
    mok.c:853:maybe_mirror_one_mok_variable() deleting "SbatLevelRT"
    mok.c:855:maybe_mirror_one_mok_variable() LibDeleteVariable("SbatLevelRT",...) => Invalid Parameter
    mok.c:640:mirror_one_mok_variable() v->name:"SbatLevel" v->rtname:"SbatLevelRT"
    -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

- VMWare (transcript, serial console doesn't work during early boot)

    -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
    mok.c:936:import_one_mok_state() maybe mirroring "SbatLevel".  original data:
    mok.c:937:import_one_mok_state() 00000000  XX XX XX XX XX XX XX XX  73 62 61 74 2c 31 2c 32  XXXXXXXX|sbat,1,2|
    mok.c:937:import_one_mok_state() 00000008  30 32 31 30 33 30 32 31  38 0a XX XX XX XX XX XX  |021030218.|
    mok.c:640:mirror_one_mok_variable() v->name:"SbatLevel" v->rtname:"SbatLevelRT"
     :
    mok.c:791:mirror_one_mok_variable() SetVariable("SbatLevelRT", ... varsz=0x12) = Success
    mok.c:836:mirror_one_mok_variable() returning Success
     :
    mok.c:853:maybe_mirror_one_mok_variable() deleting "SbatLevelRT"
    mok.c:855:maybe_mirror_one_mok_variable() LibDeleteVariable("SbatLevelRT",...) => Success
    mok.c:640:mirror_one_mok_variable() v->name:"SbatLevel" v->rtname:"SbatLevelRT"
    -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Here above on line "mok.c:855" on VMWare there is a **Success** instead of **Invalid Parameter** on KVM.
I don't know if it's relevant or not.

Version-Release number of selected component (if applicable):

shim-x64-15.4-2.el8_1.x86_64


How reproducible:

Always

Steps to Reproduce:
1. Boot a VMWare VM in UEFI mode

Actual results:

No variables

Expected results:

Variables

Comment 1 Renaud Métrich 2022-03-10 07:16:55 UTC

Created attachment 1865094 [details]
Shim verbose log showing initial SbatLevelRT assignment on VMWare

Comment 2 Renaud Métrich 2022-03-10 07:17:26 UTC

Created attachment 1865095 [details]
Shim verbose log showing second SbatLevelRT assignment on VMWare

Comment 3 Renaud Métrich 2022-03-10 07:18:31 UTC

Created attachment 1865096 [details]
Shim verbose log on KVM

Comment 4 Robbie Harwood 2022-03-10 17:20:51 UTC

Hi Renaud, could you check if this happens with the 15.5 test builds?

Comment 5 Renaud Métrich 2022-03-10 18:59:35 UTC

Works fine with shim-unsigned-x64-15.5-1.el9 (on a RHEL8 VMWare):

# efivar -l
605dab50-e046-4300-abb6-3dd810dd8b23-SbatLevelRT
605dab50-e046-4300-abb6-3dd810dd8b23-MokListXRT
605dab50-e046-4300-abb6-3dd810dd8b23-MokListRT
...

Comment 6 Marta Lewandowska 2022-05-06 07:35:28 UTC

Hi Renaud, do you also want to check with the signed shim, since we have it now?
Otherwise, I can set this to verified: tested, if you are finished testing. :)

Comment 7 Renaud Métrich 2022-05-06 08:31:18 UTC

I confirm it works fine with shim-x64-15.5-2.el8:

Before (had shim-x64-15-16.el8.x86_64):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[root@vmware-rmetrich-normal-67 ~]# efivar -l | grep Mok
--> nothing
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

With shim-x64-15.5-2.el8:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[root@vmware-rmetrich-normal-67 ~]# efivar -l | grep Mok
605dab50-e046-4300-abb6-3dd810dd8b23-MokListXRT
605dab50-e046-4300-abb6-3dd810dd8b23-MokListRT

[root@vmware-rmetrich-normal-67 ~]# efivar -l | grep -i sbat
605dab50-e046-4300-abb6-3dd810dd8b23-SbatLevelRT
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 8 Marta Lewandowska 2022-05-06 11:00:12 UTC

Awesome, thank you.
Setting Verified: Tested based on comment #7.

Note You need to log in before you can comment on or make changes to this bug.