Invalid signature #447
Labels
No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
lanzaboote/lanzaboote#447
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I followed the quickstart up until this point:
https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#entering-secure-boot-setup-mode
After enabling secure boot, attempting to boot leads to
Selecting OK on this prompt boots to Windows
Disabling secure boot lets me boot into NixOS again
What does
sbctl statussay?looks good, you enrolled the keys just fine. what does
sudo sbctl verifysay tho?That gives
Same here. I'm on an Acer Nitro N50-620. My BIOS doesn't have an option to enter setup mode, the only key management option is to delete all keys, and I can't manually delete the PK from BIOS, I've tried with efitools'
efi-updatevar, but that didn't work either.Deleting all keys "should" be fine as long as you:
If you do, do at your own risk. I did this and it worked just fine
I have exactly the same issue with an ASUS PRIME-Z790-P (firmware version 1820). I successfully enrolled the key in setup mode, but booting with 'Windows UEFI Mode' and in 'Standard mode' gives me a secure boot violation due to an invalid signature (and I can boot on windows too).
After updating the revocation list I got a bad shim error, had to reset again. But I'm guessing it will just come back.
Okay, I rerun everything.
I reinstalled Nix.
I created the sbctl keys and enrolled (with Microsoft keys).
I still get a bad shim.
I think after the latest backlist update, I am just completely unable to use Secure Boot with NixOS.
In the mean time I have been able to install Open Suse Tumbleweed (which use their shim) and it works, Fedora works and Windows 11 works.
Seems like shim is checking for more than necessary things, I do not see what lanzaboote is doing that makes shim offended but I feel like this is not really our bug.
I wish I could help giving you more info, but it says bad shim signature and that's all I get.
If updating the dbx causes a problem, then the project becomes unusable as it stands.
It's possible that a lot of people using Lanzaboote never update their signatures so you don't get reports maybe, but basically saying, "This is not our bug" just makes this system unusable for me (and possibly for people who do keep their security up-to-date). This means I either run NixOS without Secure Boot or I don't use NixOS.
I would say this is not a bug at all, but Secure Boot working as intended perhaps?
I update my dbx everyday as everyone who uses fwupd does and many other NixOS users does.
What I don't understand is why updating your dbx would make lanzaboote binaries on that list, it's your own keys and your own signed binaries, short of fwupd streaming the contents of your disk or your public keys to the fwupd server so that it can customize your own dbx, that seems surprising, don't you think so?
Perhaps, but without further details, it's impossible for us to divine any further. What I can say is that dbx updates are completely fine with NixOS.
I do see some users having troubles with shim, but having troubles with shim did not wait for lanzaboote existing. There are plenty users on Ubuntu or other distros having failing boot with single booting Ubuntu with shim Secure Boot.
Happy to help if we can determine accurately what's going on or if there's a VM reproducer or something we could make use of, in the meantime, this is very hard.
To be frank, dual (or more) booting is a very complicated usecase to support, so I hope you can understand that the maintainers needs more help to see what can be done.
Right, all I can say is that I have done this process with Endeavour and Cachy and they always booted.
What kind of data could I offer? Sbctl verify output?
I'll also try some more troubleshooting, and if I find the reason I'll be sure to let you know.
EDIT: I just inspected my boot partition for Fedora and noticed some old stuff from when I first used Linux that I had not cleaned up. That's all gone now, so I am going to try this again. Also I realised that in one of my NixOS installations I decided to "replace a partition" instead of erasing a disk, that then caused NixOS to find an existing boot partition. My boot entries were clean, but I did not think of looking into the boot partition for old files from very old installations.
I'll attempt another install, fingers crossed.
EDIT 2: Nope, still getting blocked. Old stuff has been cleaned. (The irony that the imperative part of this process is the one causing issues is not lost on me.) I'll turn on logging to see if I can get more info.
Okay, so I reset key to factory.
Re-enrolled.
Updated dbx directly in Nix.
And now it boots.
I have 0 idea why that worked. But I'll take it. I'll make sure to sponsor you guys as you do allow me to use NixOS with secure boot and I wouldn't use it all if it weren't for Lanzaboote.