Grub2 fails on ASUS X201E with secure boot is enabled

Get log with grub, set debug=all

and it stop at ,

...
loader/i386/efi/linux.c:60: Locating shim protocol
loader/i386/efi/linux.c:69: Asking shim to verify kernel signature
_

Status changed to 'Confirmed' because the bug affects multiple users.

See also https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1195483

It seems,
The shim installs the UEFI protocol in shim.c
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{
        ...
 shim_lock_interface.Verify = shim_verify;

        ...
 uefi_call_wrapper(BS->InstallProtocolInterface, 4, &handle,
     &shim_lock_guid, EFI_NATIVE_INTERFACE,
     &shim_lock_interface);
}

And the grub used the protocol to very the signature, but stopped in the second call.
in grub loader/i386/efi/linux.c
if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
    return 1;
  grub_dprintf ("linuxefi", "Asking shim to verify kernel signature\n");
  status = shim_lock->verify(data, size);
  if (status == GRUB_EFI_SUCCESS)
    {
      grub_dprintf ("linuxefi", "Kernel signature verification passed\n");
      return 1;
    }

  grub_dprintf ("linuxefi", "Kernel signature verification failed (0x%lx)\n",
  (unsigned long) status);
   return 0;

Franz, I am attaching a series of files to aid in debugging here (a pair of EFI executables and a test key). Could you please do the following:

 - on your USB stick (based on any of 12.04.2, 12.10, or 13.04 - doesn't matter), mount the UEFI boot partition
 - copy LockDown.efi onto the partition - anywhere is fine
 - copy shimx64.efi to /EFI/ubuntu/BOOTX64.EFI on the partition
 - unmount
 - boot the system to the firmware, and enter the machine in Secure Boot Setup mode
 - insert the USB stick in the machine and browse to its UEFI boot partition
 - run ("boot") the LockDown.efi program
 - try to boot the USB stick (either from a normal "boot" option, or by browsing to \EFI\ubuntu\BOOTX64.EFI)

Please let me know if this succeeds or if it still fails in the same way.

@Steve,

Please help me check if my steps are correct.

note: The platform runs Ubuntu-12.04.2 for ASUS image.

<BOOT the platform to non-secure mode>
1. copy LockDown.efi to /boot/efi/ <EFI partition mount point>
2. copy shimx64.efi to /boot/efi/EFI/ubuntu/BOOTX64.EFI
3. reboot and change to secure mode in BIOS
5. boot
6. failed (Secure Boot Violation, see the picture)

So at Steve's request, I tested the new shim here and while it properly starts grub, it's actually worse than the in-archive version as the new one will also hang when booting a signed kernel (for me, the in-archive one works only for signed kernels).

Running with grub in debug mode (set debug=all), I see it hang in the shim callback in both cases (signed and unsigned).

Hi Franz,

On Fri, Jul 05, 2013 at 09:07:13AM -0000, Franz Hsieh wrote:
> Please help me check if my steps are correct.

> note: The platform runs Ubuntu-12.04.2 for ASUS image.

> <BOOT the platform to non-secure mode>
> 1. copy LockDown.efi to /boot/efi/ <EFI partition mount point>
> 2. copy shimx64.efi to /boot/efi/EFI/ubuntu/BOOTX64.EFI
> 3. reboot and change to secure mode in BIOS

This step is wrong. After copying LockDown.efi to /boot/efi, you next need
to *boot* LockDown.efi from the firmware while in setup mode. LockDown.efi
handles the process of configuring the firmware's SecureBoot support to
include the key used for signing this shim binary, so that you can do a true
SecureBoot boot with a test binary.

After running LockDown.efi, you should be able to boot shimx64.efi in Secure
Boot mode without a security violation.

Hi Franz,

Any further updates here? Did my clarification of the steps make sense?

@Steve

We have run LockDown.efi and then enable secure boot.

The errors are attached in the picture.

Hi Franz,

On Wed, Jul 17, 2013 at 06:53:59AM -0000, Franz Hsieh wrote:
> We have run LockDown.efi and then enable secure boot.

> The errors are attached in the picture.

> ** Attachment added: "17 下午2:50:10.jpeg"
> https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1187233/+attachment/3739636/+files/17%20%E4%B8%8B%E5%8D%882%3A50%3A10.jpeg

Thanks for the test. It looks like we're getting farther. The error
messages here indicate that the \EFI\ubuntu\grubx64.efi on this disk is not
signed with the Canonical key. In fact, it's not signed by any key ("Empty
security header"). Can you double-check your image, and make sure to use
the unmodified grubx64.efi from the standard Ubuntu image? The *only*
change from the standard Ubuntu image at this point should be the copy of
shim.

I use ubuntu-13.04 image to create a bootable usb stick.
Copy shimx64.efi to <USB:>/EFI/ubuntu/BOOTX64.EFI,
Enter setup mode and run LockDown.efi to import keys.
Add boot entry and assign <USB>/EFI/ubuntu/BOOTX64.EFI, and then boot to this entry.

I finally got the same result of #13.

Is there any wrong in my steps?

Confirmed with Emily Chien that this can be High, instead of Critical

Franz, the steps you've taken here sound absolutely correct, so I don't understand how it ends up with shim unable to verify grub.

There will be an updated signed shim in saucy shortly. It would be good if you could retest with the stock saucy daily images once that lands.

Steve, is the updated shim now available to test?

Ara, Franz, the updated shim is now available in saucy. Today's daily image should include everything. http://cdimage.ubuntu.com/daily-live/current/saucy-desktop-amd64.iso

waiting for feedback on the new shim in saucy.

@Steve

I tested saucy 20130912 build on ASUS X200CA with secure boot enabled.
Now ubuntu can be successfully boot and install on this platform.

The grub version is 2.00-18ubuntu1

The passed BIOS versions are 203 and 207.

thanks, marking this fixed for saucy.

Can we have this fixed in Precise as well?

Fixes to 12.04.4 are tracked at: https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1229572

12.04.4 is now released. Marking as Fix Released in the OEM priority project