Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

shim needs to be updated because the Fedora v13 shim is signed with Microsoft UEFI CA 2011 certificate which was revoked by Microsoft and put in the revocation list of new motherboards #15

Closed
rwasef1830 opened this issue May 7, 2022 · 10 comments

Comments

@rwasef1830
Copy link

Hello,
On new motherboards such as Gigabyte B550 Vision D-P, the UEFI comes out of the box with Microsoft UEFI CA issued in 2011 in the revoked keys list, so all such motherboards will refuse to boot the shim version used in this project.

It is recommended to use the shim version of a recent linux distribution such as ubuntu or opensuse.

Details about the revocation:
https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-kb4575994-e3b9e4cb-a330-b3ba-a602-15083965d9ca

@ValdikSS
Copy link
Owner

ValdikSS commented May 8, 2022

Neither of the shim files used in SUISBD are present in UEFI revocation file, however Microsoft's revocation lists may (and probably do) include additional revocation information, so UEFI Forum's dbxupdate.bin may not be complete, so to say.

Current signed shim version from Fedora contains bug which prevents it from booting on some machines. I'll update SUISBD to use known-good shim-15-8 version, but this disk was created as a proof-of-concent and is not planned to be maintained or enhanced. I should stress that in the readme.

@ValdikSS
Copy link
Owner

ValdikSS commented May 8, 2022

It is recommended to use the shim version of a recent linux distribution such as ubuntu

Ubuntu's shim does not load third-party EFI executables, it's not suitable for the purpose of this disk. Not checked OpenSUSE.

@ValdikSS
Copy link
Owner

ValdikSS commented May 8, 2022

@ValdikSS ValdikSS closed this as completed May 8, 2022
@3pichaxz0r
Copy link

The shim provided in the newest release appears to not be bootable (with secure boot enabled) on Lenovo Thinkpad E14 gen3 laptops. I tested a few things and I was able to get the shim included in the latest release of fedora to boot on the device but I am unable to get it to boot the preloader binary when using the updated shim ( I assume some sort of security restriction?). I am able to get other MOK signed efi binaries to boot on that laptop using the latest fedora shim, such as ipxe.

If you have any advice on what I could try to fix this on my own that would be awesome. I'm not against compiling things from source if needed.

@ValdikSS
Copy link
Owner

@3pichaxz0r, what exactly happens when you try to boot the disk?

@3pichaxz0r
Copy link

Specifically on these newer Lenovo laptops it just flashes the screen for a second (like its attempting to boot) and then just shows the boot menu again. With secure boot disabled it works fine. On any older laptops or desktops I test it on it works fine too.

If you'd like me to gather any information from the Lenovo laptops that wont boot, such as denied secure boot certificates, let me know.

@ValdikSS
Copy link
Owner

@3pichaxz0r This sounds like it successfully loads the file but something is wrong with preloader. As far as I remember, I stripped out all UI, will try to return it back and make a file for you.

@3pichaxz0r
Copy link

3pichaxz0r commented May 19, 2022

You are probably right. I thought the shim was the issue because I thought I remember testing my self signed iPXE binary with the provided shim and having the same issue but I just tested again to make sure and it was able to successfully boot the self signed iPXE binary I made using the provided shim.

I really appreciate the help

@SeriousHoax
Copy link

@ValdikSS I recently learned Ventoy uses your Super-UEFIinSecureBoot-Disk. And after upgrading the BIOS I can't use it anymore with secure boot enabled. Can you have a look at the issue I created there, and can you share your thoughts on this?
ventoy/Ventoy#1666

@Arcitec
Copy link

Arcitec commented Dec 28, 2022

@ValdikSS Solved: ventoy/Ventoy#1243 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants