Package: shim Version: 0.9+1474479173.6c180c6-1 Severity: important I test shim-signed with qemu in secure boot environment. Here is the steps to reproduce a problem:
1) install shim, shim-signed, qemu and ovmf packages 2) get EnrollDefaultKeys.efi from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Workstation/x86_64/os/Packages/e/edk2-ovmf-20170209git296153c5-3.fc27.noarch.rpm 3) create a efi_test directory with shim binaries, grub and EnrollDefaultKeys.efi files mkdir efi_test cp /usr/lib/shim/{shimx64,mmx64,fbx64}.efi.signed efi_test/ rename 's/[.]signed$//' efi_test/* cp /boot/efi/EFI/debian/grubx64.efi efi_test/ [this step is significant] cp EnrollDefaultKeys.efi efi_test/ [see step (2)] 4) so we have in efi_test/ LANG=C ls -la efi_test/ drwxr-xr-x 2 kl kl 4096 Apr 19 12:10 . drwxr-xr-x 5 kl kl 4096 Apr 19 11:52 .. -rw-r--r-- 1 kl kl 20032 Apr 19 11:55 EnrollDefaultKeys.efi -rw-r--r-- 1 kl kl 9184 Apr 19 12:05 NvVars -rw-r--r-- 1 kl kl 72144 Apr 19 11:52 fbx64.efi -rwxr-xr-x 1 kl kl 121856 Apr 19 12:10 grubx64.efi -rw-r--r-- 1 kl kl 1168464 Apr 19 12:05 mmx64.efi -rw-r--r-- 1 kl kl 1169528 Apr 19 11:52 shimx64.efi 5) run qemu with ovmf firmware qemu-system-x86_64 -m 1024 -enable-kvm -machine q35,smm=on,accel=kvm \ -bios /usr/share/ovmf/OVMF.fd \ -drive media=disk,file=fat:rw:efi_test 6) import microsoft keys and enable secure boot (from EFI shell) Shell> fs0: FS0:\> EnrollDefaultKeys.efi info: SetupMode=1 SecureBoot=0 SecureBootEnabled=0 CustomMode=0 VendorKeys=1 info: SetupMode=0 SecureBoot=1 SecureBootEnabled=1 CustomMode=0 VendorKeys=0 info: success 7) reboot virtual machine (from EFI shell) FS0:\> reset 8) run shim (from EFI shell) Shell> fs0: FS0:\> shimx64.efi 9) expected result: MokManager (mmx64.efi) will be started 10) actual result: Verification failed: (15) Access Denied Failed to load image: Access Denied start_image() returned Access Denied start_image() returned Access Denied and we back to EFI shell. Thus it's not possible to install user keys or add user loader to trusted binary database. ------------------------------------------------------ The following upsteram patch will resolve a problem: https://github.com/rhinstaller/shim/commit/9f2c83e60e0758c3db387eebaed3f306ad6214a8 PS: This bug affects ubuntu as well. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.UTF8, LC_CTYPE=ru_RU.UTF8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) -- no debconf information