Public bug reported: When building some software (https://github.com/puzzleos/uefi-dev) I ran into a problem/bug in efitools 'sign-efi-sig-list'.
The end result in my case was that an attempt to update the PK variable in uefi (ovmf files from 20.04 with qemu from 20.04) resulted in an exit code of 26 (EFI_SECURITY_VIOLATION). FS0:\> sb_setup.efi SB_SETUP: attempting to configure UEFI Secure Boot SB_SETUP: system is in Setup Mode SB_SETUP: KEK installed SB_SETUP: db installed SB_SETUP: unable to set the PK variable (26) sign-efi-sig-list was used to generate an update to PK in the build process. The fix upstream is https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/commit/?id=e57bafc268511ad54598627b663a7ae86bd856f5 Unfortunately it does not easily cherry-pick to 1.8.1 (20.04's version). There is only a small amount of changes from 1.8.1 to 21.04's version (1.9.2), so the easiest/safest fix may be to just update. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: efitools 1.8.1-0ubuntu2 ProcVersionSignature: Ubuntu 5.8.0-63.71~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.18 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Fri Aug 20 14:55:19 2021 InstallationDate: Installed on 2020-01-15 (582 days ago) InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) ProcEnviron: TERM=screen.xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: efitools UpgradeStatus: Upgraded to focal on 2020-04-17 (490 days ago) ** Affects: efitools (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: efitools (Ubuntu Focal) Importance: Medium Status: Confirmed ** Tags: amd64 apport-bug focal third-party-packages ** Description changed: When building some software (https://github.com/puzzleos/uefi-dev) I ran into a problem/bug in efitools 'sign-efi-sig-list'. The end result in my case was that an attempt to update the PK variable in uefi (ovmf files from 20.04 with qemu from 20.04) resulted in an exit code of 26 (EFI_SECURITY_VIOLATION). + FS0:\> sb_setup.efi + SB_SETUP: attempting to configure UEFI Secure Boot + SB_SETUP: system is in Setup Mode + SB_SETUP: KEK installed + SB_SETUP: db installed + SB_SETUP: unable to set the PK variable (26) - FS0:\> sb_setup.efi - SB_SETUP: attempting to configure UEFI Secure Boot - SB_SETUP: system is in Setup Mode - SB_SETUP: KEK installed - SB_SETUP: db installed - SB_SETUP: unable to set the PK variable (26) + sign-efi-sig-list was used to generate an update to PK in the build + process. - - The fix upstream is https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/commit/?id=e57bafc268511ad54598627b663a7ae86bd856f5 + The fix upstream is + https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/commit/?id=e57bafc268511ad54598627b663a7ae86bd856f5 Unfortunately it does not easily cherry-pick to 1.8.1 (20.04's version). - There is only a small amount of changes from 1.8.1 to 21.04's version (1.9.2), so - the easiest/safest fix may be to just update. + There is only a small amount of changes from 1.8.1 to 21.04's version + (1.9.2), so the easiest/safest fix may be to just update. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: efitools 1.8.1-0ubuntu2 ProcVersionSignature: Ubuntu 5.8.0-63.71~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.18 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Fri Aug 20 14:55:19 2021 InstallationDate: Installed on 2020-01-15 (582 days ago) InstallationMedia: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805) ProcEnviron: - TERM=screen.xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=screen.xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: efitools UpgradeStatus: Upgraded to focal on 2020-04-17 (490 days ago) ** Also affects: efitools (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: efitools (Ubuntu) Status: New => Fix Released ** Changed in: efitools (Ubuntu Focal) Status: New => Confirmed ** Changed in: efitools (Ubuntu Focal) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940711 Title: sign-efi-sig-list uses PKCS7 for variable updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/efitools/+bug/1940711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs