Re: secure boot disabled

[Chris Murphy]

On Thu, Feb 1, 2018, 3:52 PM AV  wrote:

> On Thu, 2018-02-01 at 13:36 -0700, Chris Murphy wrote:
> > On Wed, Jan 31, 2018 at 9:53 AM, AV  wrote:
> > > I installed Fed 27 on a Dell XPS 13 9370 using Fed 27 Live
> > > on a usb stick after deleting Ubuntu 16.04 LTS that came
> > > installed on the device.
> >
> > It's possible the kernel version that shipped with Fedora 27 had a
> > bug
> > related to secure boot notification. I forget exactly what kernel
> > versions were affected. Anyway anything in the 4.14 series should
> > work. You can check Secure Boot status with mokutil.
> >
> > $ mokutil --sb-state
> > SecureBoot enabled
>
> Ah, thanks. I was looking for something like this but did not
> find mokutil. And indeed SecureBoot is enabled:
>
> $ mokutil --sb-state
> SecureBoot enabled
>
> The Fed 27 Live version which I used for the install contains
> a 4.13 kernel. So the bug with notification is related to 4.13.
> But the following update to the 4.14.14-300 kernel did not correct
> this.
>



I suggest filing a Red Hat Bugzilla bug against the kernel. Include
complete dmesg. Include mokutil --sb-state,  and if you see the very early
message about Secure Boot right after the GRUB menu goes away but before
the Plymouth boot splash, mention it.

Weirdly, Secure Boot support is not in the mainline kernel. Every distro is
carrying their own patches including Fedora.


Chris Murphy

>
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: secure boot disabled

[AV]

On Thu, 2018-02-01 at 13:36 -0700, Chris Murphy wrote:
> On Wed, Jan 31, 2018 at 9:53 AM, AV  wrote:
> > I installed Fed 27 on a Dell XPS 13 9370 using Fed 27 Live
> > on a usb stick after deleting Ubuntu 16.04 LTS that came
> > installed on the device.
> 
> It's possible the kernel version that shipped with Fedora 27 had a
> bug
> related to secure boot notification. I forget exactly what kernel
> versions were affected. Anyway anything in the 4.14 series should
> work. You can check Secure Boot status with mokutil.
> 
> $ mokutil --sb-state
> SecureBoot enabled

Ah, thanks. I was looking for something like this but did not
find mokutil. And indeed SecureBoot is enabled:

$ mokutil --sb-state
SecureBoot enabled

The Fed 27 Live version which I used for the install contains
a 4.13 kernel. So the bug with notification is related to 4.13.
But the following update to the 4.14.14-300 kernel did not correct
this.

AV




___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: secure boot disabled

[Chris Murphy]

On Wed, Jan 31, 2018 at 9:53 AM, AV  wrote:
> I installed Fed 27 on a Dell XPS 13 9370 using Fed 27 Live
> on a usb stick after deleting Ubuntu 16.04 LTS that came
> installed on the device.

It's possible the kernel version that shipped with Fedora 27 had a bug
related to secure boot notification. I forget exactly what kernel
versions were affected. Anyway anything in the 4.14 series should
work. You can check Secure Boot status with mokutil.

$ mokutil --sb-state
SecureBoot enabled



-- 
Chris Murphy
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: secure boot disabled

[stan]

On Thu, 01 Feb 2018 12:17:26 +0100
AV  wrote:

> I very much doubt this. On a pc with secure boot you see:
> 
> $ dmesg |grep -i secure
> [0.00] secureboot: Secure boot enabled
> [0.00] Kernel is locked down from EFI secure boot; see man
> kernel_lockdown.7
> [1.364686] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA:
> fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys
> keyring
> 
> Furthermore at boot (after grub kernel choices) the line:
> "EFI Stub: Secure Boot enabled" is shown. 

I'm chastised for my ignorance.  Thanks for the information.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: secure boot disabled

[AV]

On Wed, 2018-01-31 at 17:30 -0700, stan wrote:
> On Wed, 31 Jan 2018 17:53:22 +0100
> AV  wrote:
> 
> > However after install I find 'secure boot disabled'.
> > $ dmesg | grep -i secure
> > [0.00] secureboot: Secure boot disabled
> > [5.630671] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA:
> > fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys
> > keyring
> > $ ls -l /sys/firmware/efi/efivars/Secure*
> > -rw-r--r--. 1 root root 5 Jan 31 16:33
> > /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-
> > 00e098032b8c
> 
> I don't know much about this, but I would interpret this as saying
> that
> you have secure boot.  Maybe someone more knowledgeable will confirm.
> 
I very much doubt this. On a pc with secure boot you see:

$ dmesg |grep -i secure
[0.00] secureboot: Secure boot enabled
[0.00] Kernel is locked down from EFI secure boot; see man
kernel_lockdown.7
[1.364686] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA:
fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys
keyring

Furthermore at boot (after grub kernel choices) the line:
"EFI Stub: Secure Boot enabled" is shown. 

AV
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: secure boot disabled

[stan]

On Wed, 31 Jan 2018 17:53:22 +0100
AV  wrote:

> However after install I find 'secure boot disabled'.
> $ dmesg | grep -i secure
> [0.00] secureboot: Secure boot disabled
> [5.630671] Loaded UEFI:MokListRT cert 'Fedora Secure Boot CA:
> fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to secondary sys
> keyring
> $ ls -l /sys/firmware/efi/efivars/Secure*
> -rw-r--r--. 1 root root 5 Jan 31 16:33
> /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-
> 00e098032b8c

I don't know much about this, but I would interpret this as saying that
you have secure boot.  Maybe someone more knowledgeable will confirm.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org