subject:"Bug#1059525\: linux\-image\-6.1.0\-16\-amd64\: Secure Boot is active but mokutil and dmesg says \"Secure boot disabled\" but just with an NVME not with an HDD\/SSD"

Bug#1059525: linux-image-6.1.0-16-amd64: Secure Boot is active but mokutil and dmesg says "Secure boot disabled" but just with an NVME not with an HDD/SSD

2024-01-12 Thread .

In a Debian Testing System one of the packages solved my problem. Secure 
Boot is now displayed as active.


Start-Date: 2024-01-12  18:59:31
Commandline: apt full-upgrade
Requested-By: user (1000)
Upgrade: orca:amd64 (45.1-2, 45.2-1), dmeventd:amd64 (2:1.02.185-2, 
2:1.02.185-3), libldb2:amd64 (2:2.8.0+samba4.19.3+dfsg-2, 
2:2.8.0+samba4.19.4+dfsg-2), libgs10-common:amd64 (10.02.1~dfsg-1, 
10.02.1~dfsg-2), liblua5.4-0:amd64 (5.4.6-1, 5.4.6-2), 
liblvm2cmd2.03:amd64 (2.03.16-2, 2.03.16-3), libgs10:amd64 
(10.02.1~dfsg-1, 10.02.1~dfsg-2), logrotate:amd64 (3.21.0-1, 3.21.0-2), 
libwbclient0:amd64 (2:4.19.3+dfsg-2, 2:4.19.4+dfsg-2), 
libsmbclient:amd64 (2:4.19.3+dfsg-2, 2:4.19.4+dfsg-2), lvm2:amd64 
(2.03.16-2, 2.03.16-3), ghostscript:amd64 (10.02.1~dfsg-1, 
10.02.1~dfsg-2), gir1.2-ibus-1.0:amd64 (1.5.29~rc2-1, 1.5.29-1), 
grep:amd64 (3.11-3, 3.11-4), libopenni2-0:amd64 (2.2.0.33+dfsg-17, 
2.2.0.33+dfsg-18), dmsetup:amd64 (2:1.02.185-2, 2:1.02.185-3), 
libdevmapper-event1.02.1:amd64 (2:1.02.185-2, 2:1.02.185-3), 
samba-libs:amd64 (2:4.19.3+dfsg-2, 2:4.19.4+dfsg-2), libgs-common:amd64 
(10.02.1~dfsg-1, 10.02.1~dfsg-2), libibus-1.0-5:amd64 (1.5.29~rc2-1, 
1.5.29-1), libdevmapper1.02.1:amd64 (2:1.02.185-2, 2:1.02.185-3)

End-Date: 2024-01-12  18:59:53

Bug#1059525: linux-image-6.1.0-16-amd64: Secure Boot is active but mokutil and dmesg says "Secure boot disabled" but just with an NVME not with an HDD/SSD

2023-12-27 Thread .


Package: src:linux
Version: 6.1.67-1
Severity: serious
X-Debbugs-Cc: yelcnce01w76dbotr...@gmail.com

Dear Maintainer,

* What led up to the situation?
I started Debian 12 on an Intel NUC with Crucial P5 Plus NVME and 
noticed that Secure Boot is not active, only if an NVME is installed.
When the NVME is fitted, the Debian Live Stick also changes the secure 
boot state to disabled. This does not happen with Debian if the NVME is 
removed and only one HDD is used. In Bios Secure Boot is enabled.


With NVME and active Secure Boot, Kernel starts properly
dmesg | grep -i secure
[0.00] secureboot: Secure boot disabled
[1.294078] Loaded X.509 cert 'Debian Secure Boot CA: 
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[1.294088] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - 
linux: 14011249c2675ea8e5148542202005810584b25f'

mokutil --sb-state
This system doesn't support Secure Boot

With NVME and active Secure Boot and Mainboard Lockdown-Pins
dmesg | grep -i secure
[0.00] Kernel is locked down from EFI Secure Boot; see man 
kernel_lockdown.7

[0.00] secureboot: Secure boot enabled
[1.287502] Loaded X.509 cert 'Debian Secure Boot CA: 
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[1.287513] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - 
linux: 14011249c2675ea8e5148542202005810584b25f'
[1.295587] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'

mokutil --sb-state
SecureBoot enabled

* What exactly did you do (or not do) that was effective (or
ineffective)?
The behavior changes when I set the lockdown-pins on the mainboard from 
the Intel NUC. Then Secure Boot is activ with these NVME.


* What was the outcome of this action?
* What outcome did you expect instead?
Secure Boot should always be active and if not, Debian should not start.



-- Package-specific info:
** Version:
Linux version 6.1.0-16-amd64 (debian-ker...@lists.debian.org) (gcc-12 
(Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP 
PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12)


** Command line:
BOOT_IMAGE=/vmlinuz-6.1.0-16-amd64 root=/dev/mapper/lvgdeb-debix ro 
rootflags=subvol=@rootfs quiet


** Not tainted

** Kernel log:
[   13.280197] BTRFS info: devid 1 device path /dev/mapper/lvgdeb-debix 
changed to /dev/dm-1 scanned by (udev-worker) (590)
[   13.280714] BTRFS info: devid 1 device path /dev/dm-1 changed to 
/dev/mapper/lvgdeb-debix scanned by (udev-worker) (590)

[   13.298823] intel_pmc_core INT33A1:00:  initialized
[   13.317186] resource sanity check: requesting [mem 
0xfedc-0xfedc], which spans more than pnp 00:03 [mem 
0xfedc-0xfedc7fff]
[   13.317191] caller igen6_probe+0x199/0x7d0 [igen6_edac] mapping 
multiple BARs
[   13.321118] EDAC MC0: Giving out device to module igen6_edac 
controller Intel_client_SoC MC#0: DEV :00:00.0 (INTERRUPT)
[   13.321700] Serial bus multi instantiate pseudo device driver 
INT3515:00: error -ENXIO: IRQ index 1 not found
[   13.321729] Serial bus multi instantiate pseudo device driver 
INT3515:00: error -ENXIO: Error requesting irq at index 1
[   13.324335] EDAC MC1: Giving out device to module igen6_edac 
controller Intel_client_SoC MC#1: DEV :00:00.0 (INTERRUPT)

[   13.324397] EDAC igen6 MC1: HANDLING IBECC MEMORY ERROR
[   13.324399] EDAC igen6 MC1: ADDR 0x7fffe0
[   13.324400] EDAC igen6 MC0: HANDLING IBECC MEMORY ERROR
[   13.324401] EDAC igen6 MC0: ADDR 0x7fffe0
[   13.325163] EDAC igen6: v2.5.1
[   13.389497] ee1004 0-0050: 512 byte EE1004-compliant SPD EEPROM, 
read-only

[   13.412053] mei_me :00:16.0: enabling device ( -> 0002)
[   13.422361] cfg80211: Loading compiled-in X.509 certificates for 
regulatory database
[   13.422472] cfg80211: Loaded X.509 cert 'b...@debian.org: 
577e021cb980e0e820821ba7b54b4961b8b4fadf'
[   13.422560] cfg80211: Loaded X.509 cert 'romain.per...@gmail.com: 
3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'

[   13.422646] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   13.423298] platform regulatory.0: firmware: direct-loading firmware 
regulatory.db
[   13.423325] platform regulatory.0: firmware: direct-loading firmware 
regulatory.db.p7s

[   13.424187] input: PC Speaker as /devices/platform/pcspkr/input/input8
[   13.522204] mei_hdcp 
:00:16.0-b638ab7e-94e2-4ea2-a552-d1c54b627f04: bound :00:02.0 
(ops i915_hdcp_component_ops [i915])
[   13.522505] RAPL PMU: API unit is 2^-32 Joules, 4 fixed counters, 
655360 ms ovfl timer

[   13.522510] RAPL PMU: hw unit of domain pp0-core 2^-14 Joules
[   13.522513] RAPL PMU: hw unit of domain package 2^-14 Joules
[   13.522514] RAPL PMU: hw unit of domain pp1-gpu 2^-14 Joules
[   13.522515] RAPL PMU: hw unit of domain psys 2^-14 Joules
[   13.530500] Intel(R) Wireless WiFi driver for Linux
[   13.530763] iwlwifi :00:14.3: enabling device ( -> 0002)
[   13.547682] iwlwifi :00:14.3: firmware: direct-loading firmware 
iwlwifi-so-a0-gf-a0-72.ucode
[

Bug#1059525: linux-image-6.1.0-16-amd64: Secure Boot is active but mokutil and dmesg says "Secure boot disabled" but just with an NVME not with an HDD/SSD

Bug#1059525: linux-image-6.1.0-16-amd64: Secure Boot is active but mokutil and dmesg says "Secure boot disabled" but just with an NVME not with an HDD/SSD

2 matches

Site Navigation

Mail list logo

Footer information