Bug#1059525: linux-image-6.1.0-16-amd64: Secure Boot is active but mokutil and dmesg says "Secure boot disabled" but just with an NVME not with an HDD/SSD
In a Debian Testing System one of the packages solved my problem. Secure Boot is now displayed as active. Start-Date: 2024-01-12 18:59:31 Commandline: apt full-upgrade Requested-By: user (1000) Upgrade: orca:amd64 (45.1-2, 45.2-1), dmeventd:amd64 (2:1.02.185-2, 2:1.02.185-3), libldb2:amd64 (2:2.8.0+samba4.19.3+dfsg-2, 2:2.8.0+samba4.19.4+dfsg-2), libgs10-common:amd64 (10.02.1~dfsg-1, 10.02.1~dfsg-2), liblua5.4-0:amd64 (5.4.6-1, 5.4.6-2), liblvm2cmd2.03:amd64 (2.03.16-2, 2.03.16-3), libgs10:amd64 (10.02.1~dfsg-1, 10.02.1~dfsg-2), logrotate:amd64 (3.21.0-1, 3.21.0-2), libwbclient0:amd64 (2:4.19.3+dfsg-2, 2:4.19.4+dfsg-2), libsmbclient:amd64 (2:4.19.3+dfsg-2, 2:4.19.4+dfsg-2), lvm2:amd64 (2.03.16-2, 2.03.16-3), ghostscript:amd64 (10.02.1~dfsg-1, 10.02.1~dfsg-2), gir1.2-ibus-1.0:amd64 (1.5.29~rc2-1, 1.5.29-1), grep:amd64 (3.11-3, 3.11-4), libopenni2-0:amd64 (2.2.0.33+dfsg-17, 2.2.0.33+dfsg-18), dmsetup:amd64 (2:1.02.185-2, 2:1.02.185-3), libdevmapper-event1.02.1:amd64 (2:1.02.185-2, 2:1.02.185-3), samba-libs:amd64 (2:4.19.3+dfsg-2, 2:4.19.4+dfsg-2), libgs-common:amd64 (10.02.1~dfsg-1, 10.02.1~dfsg-2), libibus-1.0-5:amd64 (1.5.29~rc2-1, 1.5.29-1), libdevmapper1.02.1:amd64 (2:1.02.185-2, 2:1.02.185-3) End-Date: 2024-01-12 18:59:53
Bug#1059525: linux-image-6.1.0-16-amd64: Secure Boot is active but mokutil and dmesg says "Secure boot disabled" but just with an NVME not with an HDD/SSD
Package: src:linux Version: 6.1.67-1 Severity: serious X-Debbugs-Cc: yelcnce01w76dbotr...@gmail.com Dear Maintainer, * What led up to the situation? I started Debian 12 on an Intel NUC with Crucial P5 Plus NVME and noticed that Secure Boot is not active, only if an NVME is installed. When the NVME is fitted, the Debian Live Stick also changes the secure boot state to disabled. This does not happen with Debian if the NVME is removed and only one HDD is used. In Bios Secure Boot is enabled. With NVME and active Secure Boot, Kernel starts properly dmesg | grep -i secure [0.00] secureboot: Secure boot disabled [1.294078] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [1.294088] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f' mokutil --sb-state This system doesn't support Secure Boot With NVME and active Secure Boot and Mainboard Lockdown-Pins dmesg | grep -i secure [0.00] Kernel is locked down from EFI Secure Boot; see man kernel_lockdown.7 [0.00] secureboot: Secure boot enabled [1.287502] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [1.287513] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f' [1.295587] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' mokutil --sb-state SecureBoot enabled * What exactly did you do (or not do) that was effective (or ineffective)? The behavior changes when I set the lockdown-pins on the mainboard from the Intel NUC. Then Secure Boot is activ with these NVME. * What was the outcome of this action? * What outcome did you expect instead? Secure Boot should always be active and if not, Debian should not start. -- Package-specific info: ** Version: Linux version 6.1.0-16-amd64 (debian-ker...@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) ** Command line: BOOT_IMAGE=/vmlinuz-6.1.0-16-amd64 root=/dev/mapper/lvgdeb-debix ro rootflags=subvol=@rootfs quiet ** Not tainted ** Kernel log: [ 13.280197] BTRFS info: devid 1 device path /dev/mapper/lvgdeb-debix changed to /dev/dm-1 scanned by (udev-worker) (590) [ 13.280714] BTRFS info: devid 1 device path /dev/dm-1 changed to /dev/mapper/lvgdeb-debix scanned by (udev-worker) (590) [ 13.298823] intel_pmc_core INT33A1:00: initialized [ 13.317186] resource sanity check: requesting [mem 0xfedc-0xfedc], which spans more than pnp 00:03 [mem 0xfedc-0xfedc7fff] [ 13.317191] caller igen6_probe+0x199/0x7d0 [igen6_edac] mapping multiple BARs [ 13.321118] EDAC MC0: Giving out device to module igen6_edac controller Intel_client_SoC MC#0: DEV :00:00.0 (INTERRUPT) [ 13.321700] Serial bus multi instantiate pseudo device driver INT3515:00: error -ENXIO: IRQ index 1 not found [ 13.321729] Serial bus multi instantiate pseudo device driver INT3515:00: error -ENXIO: Error requesting irq at index 1 [ 13.324335] EDAC MC1: Giving out device to module igen6_edac controller Intel_client_SoC MC#1: DEV :00:00.0 (INTERRUPT) [ 13.324397] EDAC igen6 MC1: HANDLING IBECC MEMORY ERROR [ 13.324399] EDAC igen6 MC1: ADDR 0x7fffe0 [ 13.324400] EDAC igen6 MC0: HANDLING IBECC MEMORY ERROR [ 13.324401] EDAC igen6 MC0: ADDR 0x7fffe0 [ 13.325163] EDAC igen6: v2.5.1 [ 13.389497] ee1004 0-0050: 512 byte EE1004-compliant SPD EEPROM, read-only [ 13.412053] mei_me :00:16.0: enabling device ( -> 0002) [ 13.422361] cfg80211: Loading compiled-in X.509 certificates for regulatory database [ 13.422472] cfg80211: Loaded X.509 cert 'b...@debian.org: 577e021cb980e0e820821ba7b54b4961b8b4fadf' [ 13.422560] cfg80211: Loaded X.509 cert 'romain.per...@gmail.com: 3abbc6ec146e09d1b6016ab9d6cf71dd233f0328' [ 13.422646] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' [ 13.423298] platform regulatory.0: firmware: direct-loading firmware regulatory.db [ 13.423325] platform regulatory.0: firmware: direct-loading firmware regulatory.db.p7s [ 13.424187] input: PC Speaker as /devices/platform/pcspkr/input/input8 [ 13.522204] mei_hdcp :00:16.0-b638ab7e-94e2-4ea2-a552-d1c54b627f04: bound :00:02.0 (ops i915_hdcp_component_ops [i915]) [ 13.522505] RAPL PMU: API unit is 2^-32 Joules, 4 fixed counters, 655360 ms ovfl timer [ 13.522510] RAPL PMU: hw unit of domain pp0-core 2^-14 Joules [ 13.522513] RAPL PMU: hw unit of domain package 2^-14 Joules [ 13.522514] RAPL PMU: hw unit of domain pp1-gpu 2^-14 Joules [ 13.522515] RAPL PMU: hw unit of domain psys 2^-14 Joules [ 13.530500] Intel(R) Wireless WiFi driver for Linux [ 13.530763] iwlwifi :00:14.3: enabling device ( -> 0002) [ 13.547682] iwlwifi :00:14.3: firmware: direct-loading firmware iwlwifi-so-a0-gf-a0-72.ucode [