Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1698550
Summary: | Fedora install media error out with SecureBoot or Grub error in UEFI-only mode on T450s | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> | ||||||||||||
Component: | shim | Assignee: | Matthew Garrett <mjg59> | ||||||||||||
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||
Priority: | unspecified | ||||||||||||||
Version: | 30 | CC: | awilliam, bugzilla, gmarr, jan.public, mjg59, pjones, robatino | ||||||||||||
Target Milestone: | --- | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | Unspecified | ||||||||||||||
OS: | Unspecified | ||||||||||||||
Whiteboard: | RejectedBlocker AcceptedFreezeException | ||||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2020-05-26 17:07:37 UTC | Type: | Bug | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | |||||||||||||||
Bug Blocks: | 1574716 | ||||||||||||||
Attachments: |
|
Description
Kamil Páral
2019-04-10 15:17:38 UTC
Created attachment 1554269 [details]
SecureBoot error
SB error when SB is enabled
Created attachment 1554270 [details]
GRUB error
GRUB error when SB is disabled and CSM is also disabled
I'm proposing this for consideration as a blocker bug. The fact that a machine can't boot into an install image boot menu is pretty serious. Yes, there's an non-obvious workaround, and yes, this definitely affects only some hardware (asking the community to test this on wide selection of hardware is probably a good idea). It has been present in F29, and partly in F28 (regressed from that state). 'shim' component is a trap... if this affects at least a few different Thinkpads, I'm inclined to +1 blocker on it. Secure Boot is a thing we ideally want to encourage people to use, turning it off is a bad workaround. It might be useful to see contents of efivars. Boot UEFI mode however possible and $ ls -l /sys/firmware/efi/efivars/ Also, is the firmware for this T450s at 1.35 or other? I've tried to reproduce this with shim-15-8 and grub2-efi-x64-2.02-75.fc30 with the following setups: - SB unsupported - SB supported but disabled - SB supported and enabled I can't get any of these symptoms to occur at all, so I suspect something is wrong with the firmware setup on the machine (no idea about the filesystem problem.) Can you get attach of the following UEFI files from /sys/firmware/efi/efivars: KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c KEKDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c PK-8be4df61-93ca-11d2-aa0d-00e098032b8c PKDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c SignatureSupport-8be4df61-93ca-11d2-aa0d-00e098032b8c VendorKeys-8be4df61-93ca-11d2-aa0d-00e098032b8c dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c (Some may not be present.) Alright, so, I had 1.34 bios installed, even though it's supported by fwupdmgr and it didn't show any updates available. Lenovo obviously haven't uploaded the latest bios to LVFS (so most Linux users are probably still running 1.34). After updating to 1.35 manually, things have completely changed (even though the changelog only lists one security fix): * The SecureBoot=on path now boots OK. * The SecureBoot=off and CSM=off path still doesn't boot, but the grub filesystem error is gone. I only see a black screen and nothing happens (so effectively the same thing I originally saw with F29 media). The installed system can still be booted just fine with these firmware settings. I'll attach the efivars requested, but only these 3 out of those mentioned are available: SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c SignatureSupport-8be4df61-93ca-11d2-aa0d-00e098032b8c They differ between the cases, so I upload them in both versions. They are from 1.35 bios, but I also have them saved from 1.34 bios, if you want to debug that. Created attachment 1554711 [details]
efivars-1.35-sb-on
Requested efivars from 1.35 bios with SB on (working boot).
Created attachment 1554712 [details]
efivars-1.35-sb-off-csm-off
Requested efivars from 1.35 bios with SB off and CSM off (broken boot, black screen).
Created attachment 1554713 [details]
all-efivars-1.35-sb-off-csm-off
A list of all available efivars from 1.35 bios with SB off and CSM off.
Discussed during the 2019-04-15 blocker review meeting: [1] The decision to classify this bug as a "RejectedBlocker" and an "AcceptedFreezeException" was made as for now this appears to be too specific to justify accepting as a blocker, we only know that it affects one laptop model with one specific non-default firmware configuration. However, for affected users it's a critical bug, so we would consider a safe fix for post-freeze inclusion. This decision may be changed based on further investigation. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2019-04-15/f30-blocker-review.2019-04-15-16.03.txt kamil: random note - I never included this in f30 common bugs as I was kinda assuming you were going to do it. But it looks like you didn't? No, I didn't, and it doesn't matter now. Removing the commonbugs keyword. This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |