Hi all, I've been attempting to set-up SecureBoot on my Lenovo Thinkpad P16s Gen2 laptop via MOK signing.
Edit: Forgot to mention, this on Debian 12 (bookworm), with an upgraded kernel to allow the internal mic to be correctly recognized by the driver.
Every time I enable secure boot, it fails in UEFI with the message "secure boot failed operating system is invalid". This message appears to match my UEFI UI, and GRUB does not seem to be loaded yet (since I have a encryption password blocking it that never appears) so this is what indicates to me (maybe incorrectly) that the UEFI is failing to check the shim bootloader's signature.
Here is the current listing under /boot/efi/EFI/debian/:The contents of BOOTX64.CSV:The output of sbverify shimx64.efi:The output of sbverify --list for all EFI binaries under /boot/efi/EFI/debian/I know that the shim bootloader is the first listing from the output of efibootmgr -v:For completeness sake, here is the output of mokutil -l:The [key 2] entry is the MOK I enrolled manually, and what I signed my kernel and modules with sbsign. The output of mokutil --test-key /var/lib/shim-signed/MOK.der:Checking that this certificate matches the signature on my kernel, IE, sbverify --cert /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz-6.7.4Thank you, any pointers would be much appreciated, I'd be happy to attach any other information asked for.
And apologies for any formatting errors, I'd be happy to resolve any.
Edit: Forgot to mention, this on Debian 12 (bookworm), with an upgraded kernel to allow the internal mic to be correctly recognized by the driver.
Every time I enable secure boot, it fails in UEFI with the message "secure boot failed operating system is invalid". This message appears to match my UEFI UI, and GRUB does not seem to be loaded yet (since I have a encryption password blocking it that never appears) so this is what indicates to me (maybe incorrectly) that the UEFI is failing to check the shim bootloader's signature.
Here is the current listing under /boot/efi/EFI/debian/:
Code:
BOOTX64.CSV fbx64.efi grub.cfg grubx64.efi mmx64.efi shimx64.efiCode:
shimx64.efi,debian,,This is the boot entry for debianCode:
warning: data remaining[823184 vs 948768]: gaps between PE/COFF sections?Signature verification OKCode:
+ for file in *.efi+ sbverify --list fbx64.efiwarning: data remaining[73152 vs 87328]: gaps between PE/COFF sections?signature 1image signature issuers: - /CN=Debian Secure Boot CAimage signature certificates: - subject: /CN=Debian Secure Boot Signer 2022 - shim issuer: /CN=Debian Secure Boot CA+ for file in *.efi+ sbverify --list grubx64.efisignature 1image signature issuers: - /CN=Debian Secure Boot CAimage signature certificates: - subject: /CN=Debian Secure Boot Signer 2022 - grub2 issuer: /CN=Debian Secure Boot CA+ for file in *.efi+ sbverify --list mmx64.efiwarning: data remaining[731584 vs 849616]: gaps between PE/COFF sections?signature 1image signature issuers: - /CN=Debian Secure Boot CAimage signature certificates: - subject: /CN=Debian Secure Boot Signer 2022 - shim issuer: /CN=Debian Secure Boot CA+ for file in *.efi+ sbverify --list shimx64.efiwarning: data remaining[823184 vs 948768]: gaps between PE/COFF sections?signature 1image signature issuers: - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011image signature certificates: - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace RootCode:
BootCurrent: 0000Timeout: 0 secondsBootOrder: 0000,001C,001D,001E,001F,0020,0021,0022,0023,0024,0025Boot0000* debian HD(1,GPT,b14ec9ad-d1b7-4ad3-ada2-062d6ab13f37,0x800,0x100000)/File(\EFI\debian\shimx64.efi)Boot0001* Windows Boot Manager HD(1,GPT,b95bc575-66b1-4931-85f9-e0b8e44cb66f,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................Boot0010 Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)Boot0011 Boot Menu FvFile(126a762d-5758-4fca-8531-201a7f57f850)Boot0012 Diagnostic Splash Screen FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)Boot0013 Lenovo Diagnostics FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)Boot0014 Asset Information FvFile(da465b87-a26f-4c12-b78a-0361428fa026)Boot0015 Regulatory Information FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)Boot0016 ThinkShield secure wipe FvFile(3593a0d5-bd52-43a0-808e-cbff5ece2477)Boot0017 ThinkShield Passwordless Power-On Device Manager FvFile(08448b41-7f83-49be-82a7-0e84790ab133)Boot0018 Wi-Fi Configuration FvFile(d3aaff0f-cb22-4792-896c-802c2e9383ba)-.A.p.p...Boot0019 Reinstall Windows from Cloud FvFile(3edbaac4-5017-4870-8cc4-721f9ef1974f)-.A.p.p...Boot001A Startup Interrupt Menu FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)Boot001B Rescue and Recovery FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)Code:
[key 1]SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cbCertificate: Data: Version: 3 (0x2) Serial Number: ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Debian Secure Boot CA ... [key 2]SHA1 Fingerprint: 1f:8e:ed:d4:0f:07:3b:19:78:e9:f4:b6:39:78:03:52:02:2d:da:79Certificate: Data: Version: 3 (0x2) Serial Number: 77:7b:1a:62:5d:2e:93:31:a8:ec:c4:e8:3e:1e:28:07:6b:1b:28:8d Signature Algorithm: sha256WithRSAEncryption Issuer: CN=wikkiCode:
/var/lib/shim-signed/mok/MOK.der is already enrolledCode:
Signature verification OKAnd apologies for any formatting errors, I'd be happy to resolve any.
Statistics: Posted by wikki01 — 2024-02-09 16:05 — Replies 5 — Views 197