Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#928300: shim-signed: secure boot via removable media path unavailable
282 views
Skip to first unread message
Christian Bachmaier
May 1, 2019, 11:00:02 AM5/1/19
to
Package: shim-signed
Severity: normal
Dear Maintainer,
on my up to date buster system I have installed shim-signed and grub-efi-
amd64-singed and their dependencies as described on
https://wiki.debian.org/SecureBoot/Testing.
However, booting with secure boot option on (in firmware) is not possible. I
strongly belive that the reason for that is my buggy UEFI implementation on my
Intel board, as many people may have: I need to use the removable media path,
as the debian installer provides the option. (see
https://wiki.debian.org/UEFI#Force_grub-
efi_installation_to_the_removable_media_path)
Using only grub (without secure boot) this works well, and I can trigger that
by dpkg-reconfigure grub-efi-amd64 and using the option force-efi-extra-
removable true option.
I see no option to do something similar with shim-signed and its companions.
Unfortunately, manually cloning shimx64.efi to /boot/efi/EFI/BOOTX64.EFI and
copying the rest of the /boot/efi/EFI/debian directory does not help. And,
however, this would also be a todo after all packet updates...
Thanks, Chris
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii debconf [debconf-2.0] 1.5.71
ii grub-efi-amd64-bin 2.02+dfsg1-16
ii grub2-common 2.02+dfsg1-16
pn mokutil <none>
pn shim-helpers-amd64-signed <none>
Versions of packages shim-signed recommends:
pn secureboot-db <none>
shim-signed suggests no packages.
Severity: normal
Dear Maintainer,
on my up to date buster system I have installed shim-signed and grub-efi-
amd64-singed and their dependencies as described on
https://wiki.debian.org/SecureBoot/Testing.
However, booting with secure boot option on (in firmware) is not possible. I
strongly belive that the reason for that is my buggy UEFI implementation on my
Intel board, as many people may have: I need to use the removable media path,
as the debian installer provides the option. (see
https://wiki.debian.org/UEFI#Force_grub-
efi_installation_to_the_removable_media_path)
Using only grub (without secure boot) this works well, and I can trigger that
by dpkg-reconfigure grub-efi-amd64 and using the option force-efi-extra-
removable true option.
I see no option to do something similar with shim-signed and its companions.
Unfortunately, manually cloning shimx64.efi to /boot/efi/EFI/BOOTX64.EFI and
copying the rest of the /boot/efi/EFI/debian directory does not help. And,
however, this would also be a todo after all packet updates...
Thanks, Chris
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii debconf [debconf-2.0] 1.5.71
ii grub-efi-amd64-bin 2.02+dfsg1-16
ii grub2-common 2.02+dfsg1-16
pn mokutil <none>
pn shim-helpers-amd64-signed <none>
Versions of packages shim-signed recommends:
pn secureboot-db <none>
shim-signed suggests no packages.
Steve McIntyre
May 5, 2019, 8:20:03 PM5/5/19
to
Hi Christian,
On Wed, May 01, 2019 at 04:52:35PM +0200, Christian Bachmaier wrote:
>Package: shim-signed
>Severity: normal
>
>Dear Maintainer,
>
>on my up to date buster system I have installed shim-signed and grub-efi-
>amd64-singed and their dependencies as described on
>https://wiki.debian.org/SecureBoot/Testing.
>
>However, booting with secure boot option on (in firmware) is not possible. I
>strongly belive that the reason for that is my buggy UEFI implementation on my
>Intel board, as many people may have: I need to use the removable media path,
>as the debian installer provides the option. (see
>https://wiki.debian.org/UEFI#Force_grub-
>efi_installation_to_the_removable_media_path)
>
>Using only grub (without secure boot) this works well, and I can trigger that
>by dpkg-reconfigure grub-efi-amd64 and using the option force-efi-extra-
>removable true option.
>
>I see no option to do something similar with shim-signed and its companions.
>Unfortunately, manually cloning shimx64.efi to /boot/efi/EFI/BOOTX64.EFI and
>copying the rest of the /boot/efi/EFI/debian directory does not help. And,
>however, this would also be a todo after all packet updates...
Ah. :-/
I think I can see what's going on here. I'll see if I can get a fix
worked out...
--
Steve McIntyre, Cambridge, UK. st...@einval.com
You raise the blade, you make the change... You re-arrange me 'til I'm sane...
On Wed, May 01, 2019 at 04:52:35PM +0200, Christian Bachmaier wrote:
>Package: shim-signed
>Severity: normal
>
>Dear Maintainer,
>
>on my up to date buster system I have installed shim-signed and grub-efi-
>amd64-singed and their dependencies as described on
>https://wiki.debian.org/SecureBoot/Testing.
>
>However, booting with secure boot option on (in firmware) is not possible. I
>strongly belive that the reason for that is my buggy UEFI implementation on my
>Intel board, as many people may have: I need to use the removable media path,
>as the debian installer provides the option. (see
>https://wiki.debian.org/UEFI#Force_grub-
>efi_installation_to_the_removable_media_path)
>
>Using only grub (without secure boot) this works well, and I can trigger that
>by dpkg-reconfigure grub-efi-amd64 and using the option force-efi-extra-
>removable true option.
>
>I see no option to do something similar with shim-signed and its companions.
>Unfortunately, manually cloning shimx64.efi to /boot/efi/EFI/BOOTX64.EFI and
>copying the rest of the /boot/efi/EFI/debian directory does not help. And,
>however, this would also be a todo after all packet updates...
I think I can see what's going on here. I'll see if I can get a fix
worked out...
--
Steve McIntyre, Cambridge, UK. st...@einval.com
You raise the blade, you make the change... You re-arrange me 'til I'm sane...
Chris Nospam
Jun 29, 2019, 12:50:02 AM6/29/19
to
Dear Steve,
I know that this bug is not closed yet, but maybe the following is of interest for you.
I noticed your report of bug #930531 which was recently fixed in grub2 version 2.02+dfsg1-19. Thus, I decided to give secure boot another try on my Intel DH77KC board. Meanwhile grub2 2.02+dfsg1-20 was installed on my system.
So what I did is
$ apt-get install shim-signed grub-efi-amd64-signed
(and automatically all deendencies). Then, to be sure,
$ update-grub2
$ dpkg-reconfigure grub-efi-amd64
of course with force_efi_extra_removable set to/left on true.
$ update-grub2
$ shutdown -r now
Then I turned secure-boot on within the mainboard's UEFI Firmware. However, the system then won't boot and shows an error message about security violations. Pretty the same as with my first tries, which led to the initial posting. (A Windows media can be booted in secure mode.)
Chris
I know that this bug is not closed yet, but maybe the following is of interest for you.
I noticed your report of bug #930531 which was recently fixed in grub2 version 2.02+dfsg1-19. Thus, I decided to give secure boot another try on my Intel DH77KC board. Meanwhile grub2 2.02+dfsg1-20 was installed on my system.
So what I did is
$ apt-get install shim-signed grub-efi-amd64-signed
(and automatically all deendencies). Then, to be sure,
$ update-grub2
$ dpkg-reconfigure grub-efi-amd64
of course with force_efi_extra_removable set to/left on true.
$ update-grub2
$ shutdown -r now
Then I turned secure-boot on within the mainboard's UEFI Firmware. However, the system then won't boot and shows an error message about security violations. Pretty the same as with my first tries, which led to the initial posting. (A Windows media can be booted in secure mode.)
Chris
Steve McIntyre
Jun 30, 2019, 2:20:03 PM6/30/19
to
Hi Chris!
On Sat, Jun 29, 2019 at 06:44:06AM +0200, Chris Nospam wrote:
>
>I know that this bug is not closed yet, but maybe the following is of
>interest for you.
>
>I noticed your report of bug #930531 which was recently fixed in
>grub2 version 2.02+dfsg1-19. Thus, I decided to give secure boot
>another try on my Intel DH77KC board. Meanwhile grub2 2.02+dfsg1-20
>was installed on my system.
>
>So what I did is
>$ apt-get install shim-signed grub-efi-amd64-signed
>(and automatically all deendencies). Then, to be sure,
>$ update-grub2
>$ dpkg-reconfigure grub-efi-amd64
>of course with force_efi_extra_removable set to/left on true.
>$ update-grub2
>$ shutdown -r now
OK, that *sounds* correct.
>Then I turned secure-boot on within the mainboard's UEFI
>Firmware. However, the system then won't boot and shows an error
>message about security violations. Pretty the same as with my first
>tries, which led to the initial posting. (A Windows media can be
>booted in secure mode.)
Can you get in to the system? I'm guessing (hoping!) just by disabling
SB for now. Then please do a listing of the EFi System Partition and
show us what boot variables are set:
# ls -lR /boot/efi
# efibootmgr -v
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles. --- Anthony DeBoer
On Sat, Jun 29, 2019 at 06:44:06AM +0200, Chris Nospam wrote:
>
>I know that this bug is not closed yet, but maybe the following is of
>interest for you.
>
>I noticed your report of bug #930531 which was recently fixed in
>grub2 version 2.02+dfsg1-19. Thus, I decided to give secure boot
>another try on my Intel DH77KC board. Meanwhile grub2 2.02+dfsg1-20
>was installed on my system.
>
>So what I did is
>$ apt-get install shim-signed grub-efi-amd64-signed
>(and automatically all deendencies). Then, to be sure,
>$ update-grub2
>$ dpkg-reconfigure grub-efi-amd64
>of course with force_efi_extra_removable set to/left on true.
>$ update-grub2
>$ shutdown -r now
>Then I turned secure-boot on within the mainboard's UEFI
>Firmware. However, the system then won't boot and shows an error
>message about security violations. Pretty the same as with my first
>tries, which led to the initial posting. (A Windows media can be
>booted in secure mode.)
SB for now. Then please do a listing of the EFi System Partition and
show us what boot variables are set:
# ls -lR /boot/efi
# efibootmgr -v
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles. --- Anthony DeBoer
Chris Nospam
Jul 1, 2019, 12:40:02 PM7/1/19
to
Dear Steve,
I try to deliver missing informations.
> Can you get in to the system? I'm guessing (hoping!) just by disabling
> SB for now.
Fortunately, that is possible.
> Then please do a listing of the EFi System Partition and
> show us what boot variables are set:
> # ls -lR /boot/efi
/boot/efi:
insgesamt 4
drwx------ 4 root root 4096 Mär 7 2016 EFI
/boot/efi/EFI:
insgesamt 8
drwx------ 2 root root 4096 Jul 1 18:04 BOOT
drwx------ 2 root root 4096 Jul 1 18:04 debian
/boot/efi/EFI/BOOT:
insgesamt 3968
-rwx------ 1 root root 1322936 Jul 1 18:04 BOOTX64.EFI
-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
/boot/efi/EFI/debian:
insgesamt 5208
-rwx------ 1 root root 108 Jul 1 18:04 BOOTX64.CSV
-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
-rwx------ 1 root root 126 Jul 1 18:04 grub.cfg
-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
-rwx------ 1 root root 1261192 Jul 1 18:04 mmx64.efi
-rwx------ 1 root root 1322936 Jul 1 18:04 shimx64.efi
> # efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0008,0009,000A
Boot0000* debian HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)/File(\EFI\debian\shimx64.efi)
Boot0008* UEFI : LAN : IP4 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv4(0.0.0.00.0.0.0,0,0)AMBO
Boot0009* UEFI : LAN : IP6 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv6([::]:<->[::]:,0,0)AMBO
Boot000A* UEFI : SATA : PORT 6G 0 : SAMSUNG SSD 830 Series : PART 0 : OS Bootloader PciRoot(0x0)/Pci(0x1f,0x2)/Sata(0,65535,0)/HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)AMBO
# umount /boot/efi (if that should be of interest)
# ls -lR /boot/efi
/boot/efi:
insgesamt 4
drwxr-xr-x 4 root root 4096 Mär 7 2016 EFI
/boot/efi/EFI:
insgesamt 8
drwxr-xr-x 2 root root 4096 Feb 23 2018 BOOT
drwxr-xr-x 2 root root 4096 Feb 23 2018 debian
/boot/efi/EFI/BOOT:
insgesamt 128
-rwx------ 1 root root 131072 Jun 29 06:15 BOOTX64.EFI
/boot/efi/EFI/debian:
insgesamt 128
-rwx------ 1 root root 131072 Jun 29 06:15 grubx64.efi
The exact error message during booting with SB on is:
Image Autorization Fail.
System cannot boot to this device due to Security Violation.
Press Enter key to continue.
Booting the live image like
https://cdimage.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-xfce.iso
with SB on is also not possible (actually I teststed last week's build). Win 10 by installer DVD is (and long time ago an installed system on (another) HDD was) no problem with SB on.
Note, I have not a dual boot system or something like that, solely Buster is on my system.
# gdisk -l /dev/sda
GPT fdisk (gdisk) version 1.0.3
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /dev/sda: 1000215216 sectors, 476.9 GiB
Model: SAMSUNG SSD 830
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 1F83AB09-033C-4FA1-80CB-8DD29163E919
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1000215182
Partitions will be aligned on 2048-sector boundaries
Total free space is 2669 sectors (1.3 MiB)
Number Start (sector) End (sector) Size Code Name
1 2048 1050623 512.0 MiB EF00
2 1050624 933314559 444.5 GiB 8300
3 933314560 1000214527 31.9 GiB 8200
# sgdisk --info=1 /dev/sda
Partition GUID code: C12A7328-F81F-11D2-BA4B-00A0C93EC93B (EFI System)
Partition unique GUID: CE8D01BC-8E1E-4BAB-BD3F-10A56A1346CD
First sector: 2048 (at 1024.0 KiB)
Last sector: 1050623 (at 513.0 MiB)
Partition size: 1048576 sectors (512.0 MiB)
Attribute flags: 0000000000000000
Partition name: ''
Thank you again for your interest and commitment!
Chris
I try to deliver missing informations.
> Can you get in to the system? I'm guessing (hoping!) just by disabling
> SB for now.
> Then please do a listing of the EFi System Partition and
> show us what boot variables are set:
> # ls -lR /boot/efi
insgesamt 4
drwx------ 4 root root 4096 Mär 7 2016 EFI
/boot/efi/EFI:
insgesamt 8
drwx------ 2 root root 4096 Jul 1 18:04 BOOT
drwx------ 2 root root 4096 Jul 1 18:04 debian
/boot/efi/EFI/BOOT:
insgesamt 3968
-rwx------ 1 root root 1322936 Jul 1 18:04 BOOTX64.EFI
-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
/boot/efi/EFI/debian:
insgesamt 5208
-rwx------ 1 root root 108 Jul 1 18:04 BOOTX64.CSV
-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
-rwx------ 1 root root 126 Jul 1 18:04 grub.cfg
-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
-rwx------ 1 root root 1261192 Jul 1 18:04 mmx64.efi
-rwx------ 1 root root 1322936 Jul 1 18:04 shimx64.efi
> # efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0008,0009,000A
Boot0000* debian HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)/File(\EFI\debian\shimx64.efi)
Boot0008* UEFI : LAN : IP4 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv4(0.0.0.00.0.0.0,0,0)AMBO
Boot0009* UEFI : LAN : IP6 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv6([::]:<->[::]:,0,0)AMBO
Boot000A* UEFI : SATA : PORT 6G 0 : SAMSUNG SSD 830 Series : PART 0 : OS Bootloader PciRoot(0x0)/Pci(0x1f,0x2)/Sata(0,65535,0)/HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)AMBO
# umount /boot/efi (if that should be of interest)
# ls -lR /boot/efi
/boot/efi:
insgesamt 4
drwxr-xr-x 4 root root 4096 Mär 7 2016 EFI
/boot/efi/EFI:
insgesamt 8
drwxr-xr-x 2 root root 4096 Feb 23 2018 BOOT
drwxr-xr-x 2 root root 4096 Feb 23 2018 debian
/boot/efi/EFI/BOOT:
insgesamt 128
-rwx------ 1 root root 131072 Jun 29 06:15 BOOTX64.EFI
/boot/efi/EFI/debian:
insgesamt 128
-rwx------ 1 root root 131072 Jun 29 06:15 grubx64.efi
The exact error message during booting with SB on is:
Image Autorization Fail.
System cannot boot to this device due to Security Violation.
Press Enter key to continue.
Booting the live image like
https://cdimage.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-xfce.iso
with SB on is also not possible (actually I teststed last week's build). Win 10 by installer DVD is (and long time ago an installed system on (another) HDD was) no problem with SB on.
Note, I have not a dual boot system or something like that, solely Buster is on my system.
# gdisk -l /dev/sda
GPT fdisk (gdisk) version 1.0.3
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk /dev/sda: 1000215216 sectors, 476.9 GiB
Model: SAMSUNG SSD 830
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 1F83AB09-033C-4FA1-80CB-8DD29163E919
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1000215182
Partitions will be aligned on 2048-sector boundaries
Total free space is 2669 sectors (1.3 MiB)
Number Start (sector) End (sector) Size Code Name
1 2048 1050623 512.0 MiB EF00
2 1050624 933314559 444.5 GiB 8300
3 933314560 1000214527 31.9 GiB 8200
# sgdisk --info=1 /dev/sda
Partition GUID code: C12A7328-F81F-11D2-BA4B-00A0C93EC93B (EFI System)
Partition unique GUID: CE8D01BC-8E1E-4BAB-BD3F-10A56A1346CD
First sector: 2048 (at 1024.0 KiB)
Last sector: 1050623 (at 513.0 MiB)
Partition size: 1048576 sectors (512.0 MiB)
Attribute flags: 0000000000000000
Partition name: ''
Thank you again for your interest and commitment!
Chris
Steve McIntyre
Jul 1, 2019, 1:20:03 PM7/1/19
to
Hi Chris,
On Mon, Jul 01, 2019 at 06:36:40PM +0200, Chris Nospam wrote:
>
>I try to deliver missing informations.
>
>> Can you get in to the system? I'm guessing (hoping!) just by disabling
>> SB for now.
>
>Fortunately, that is possible.
Phew. :-)
>> Then please do a listing of the EFi System Partition and
>> show us what boot variables are set:
>
>> # ls -lR /boot/efi
>/boot/efi:
>insgesamt 4
>drwx------ 4 root root 4096 Mär 7 2016 EFI
>
>/boot/efi/EFI:
>insgesamt 8
>drwx------ 2 root root 4096 Jul 1 18:04 BOOT
>drwx------ 2 root root 4096 Jul 1 18:04 debian
>
>/boot/efi/EFI/BOOT:
>insgesamt 3968
>-rwx------ 1 root root 1322936 Jul 1 18:04 BOOTX64.EFI
>-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
>-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
>
>/boot/efi/EFI/debian:
>insgesamt 5208
>-rwx------ 1 root root 108 Jul 1 18:04 BOOTX64.CSV
>-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
>-rwx------ 1 root root 126 Jul 1 18:04 grub.cfg
>-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
>-rwx------ 1 root root 1261192 Jul 1 18:04 mmx64.efi
>-rwx------ 1 root root 1322936 Jul 1 18:04 shimx64.efi
OK, that's very similar to my own system. (I've got
fwupdate-amd64-signed installed too, so a couple of extra files).
>> # efibootmgr -v
>BootCurrent: 0000
>Timeout: 1 seconds
>BootOrder: 0000,0008,0009,000A
>Boot0000* debian HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)/File(\EFI\debian\shimx64.efi)
>Boot0008* UEFI : LAN : IP4 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv4(0.0.0.00.0.0.0,0,0)AMBO
>Boot0009* UEFI : LAN : IP6 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv6([::]:<->[::]:,0,0)AMBO
>Boot000A* UEFI : SATA : PORT 6G 0 : SAMSUNG SSD 830 Series : PART 0 : OS Bootloader PciRoot(0x0)/Pci(0x1f,0x2)/Sata(0,65535,0)/HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)AMBO
OK, they all look sane enough.
># umount /boot/efi (if that should be of interest)
># ls -lR /boot/efi
>/boot/efi:
>insgesamt 4
>drwxr-xr-x 4 root root 4096 Mär 7 2016 EFI
>
>/boot/efi/EFI:
>insgesamt 8
>drwxr-xr-x 2 root root 4096 Feb 23 2018 BOOT
>drwxr-xr-x 2 root root 4096 Feb 23 2018 debian
>
>/boot/efi/EFI/BOOT:
>insgesamt 128
>-rwx------ 1 root root 131072 Jun 29 06:15 BOOTX64.EFI
>
>/boot/efi/EFI/debian:
>insgesamt 128
>-rwx------ 1 root root 131072 Jun 29 06:15 grubx64.efi
It's odd that you have files in /boot/efi but on a separate filesystem
(the rootfs?), not within the ESP. But they shouldn't be seen by the
UEFI firmware, so meh.
>The exact error message during booting with SB on is:
>Image Autorization Fail.
*Exactly* that, including the missing "h" in Authorization ? Or is
that a typo on your part?
>System cannot boot to this device due to Security Violation.
>Press Enter key to continue.
>
>
>Booting the live image like
>https://cdimage.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-xfce.iso
>with SB on is also not possible (actually I teststed last week's build). Win 10 by installer DVD is (and long time ago an installed system on (another) HDD was) no problem with SB on.
OK, that's odd too. Exactly that image is booting fine in SB mode for
me on other systems. I've just tried it now to be sure!
>Note, I have not a dual boot system or something like that, solely Buster is on my system.
ACK.
So, I'm curious what keys your system claims to recognise then. The
mokutil tool can dump the public keys in each of the key lists on your
system, as listed in the man page:
...
--pk List the keys in PK
--kek List the keys in KEK
--db List the keys in db
--dbx List the keys in dbx
Could you grab those and share them too please? I'm wondering if your
system has maybe had some keys removed or revoked.
"... the premise [is] that privacy is about hiding a wrong. It's not.
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect."
-- Bruce Schneier
On Mon, Jul 01, 2019 at 06:36:40PM +0200, Chris Nospam wrote:
>
>I try to deliver missing informations.
>
>> Can you get in to the system? I'm guessing (hoping!) just by disabling
>> SB for now.
>
>Fortunately, that is possible.
>> Then please do a listing of the EFi System Partition and
>> show us what boot variables are set:
>
>> # ls -lR /boot/efi
>/boot/efi:
>insgesamt 4
>drwx------ 4 root root 4096 Mär 7 2016 EFI
>
>/boot/efi/EFI:
>insgesamt 8
>drwx------ 2 root root 4096 Jul 1 18:04 BOOT
>drwx------ 2 root root 4096 Jul 1 18:04 debian
>
>/boot/efi/EFI/BOOT:
>insgesamt 3968
>-rwx------ 1 root root 1322936 Jul 1 18:04 BOOTX64.EFI
>-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
>-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
>
>/boot/efi/EFI/debian:
>insgesamt 5208
>-rwx------ 1 root root 108 Jul 1 18:04 BOOTX64.CSV
>-rwx------ 1 root root 1206824 Jul 1 18:04 fbx64.efi
>-rwx------ 1 root root 126 Jul 1 18:04 grub.cfg
>-rwx------ 1 root root 1529200 Jul 1 18:04 grubx64.efi
>-rwx------ 1 root root 1261192 Jul 1 18:04 mmx64.efi
>-rwx------ 1 root root 1322936 Jul 1 18:04 shimx64.efi
fwupdate-amd64-signed installed too, so a couple of extra files).
>> # efibootmgr -v
>BootCurrent: 0000
>Timeout: 1 seconds
>BootOrder: 0000,0008,0009,000A
>Boot0000* debian HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)/File(\EFI\debian\shimx64.efi)
>Boot0008* UEFI : LAN : IP4 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv4(0.0.0.00.0.0.0,0,0)AMBO
>Boot0009* UEFI : LAN : IP6 Intel(R) 82579V Gigabit Network Connection PciRoot(0x0)/Pci(0x19,0x0)/MAC(4c72b926a1c7,0)/IPv6([::]:<->[::]:,0,0)AMBO
>Boot000A* UEFI : SATA : PORT 6G 0 : SAMSUNG SSD 830 Series : PART 0 : OS Bootloader PciRoot(0x0)/Pci(0x1f,0x2)/Sata(0,65535,0)/HD(1,GPT,ce8d01bc-8e1e-4bab-bd3f-10a56a1346cd,0x800,0x100000)AMBO
># umount /boot/efi (if that should be of interest)
># ls -lR /boot/efi
>/boot/efi:
>insgesamt 4
>drwxr-xr-x 4 root root 4096 Mär 7 2016 EFI
>
>/boot/efi/EFI:
>insgesamt 8
>drwxr-xr-x 2 root root 4096 Feb 23 2018 BOOT
>drwxr-xr-x 2 root root 4096 Feb 23 2018 debian
>
>/boot/efi/EFI/BOOT:
>insgesamt 128
>-rwx------ 1 root root 131072 Jun 29 06:15 BOOTX64.EFI
>
>/boot/efi/EFI/debian:
>insgesamt 128
>-rwx------ 1 root root 131072 Jun 29 06:15 grubx64.efi
(the rootfs?), not within the ESP. But they shouldn't be seen by the
UEFI firmware, so meh.
>The exact error message during booting with SB on is:
>Image Autorization Fail.
that a typo on your part?
>System cannot boot to this device due to Security Violation.
>Press Enter key to continue.
>
>
>Booting the live image like
>https://cdimage.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-xfce.iso
>with SB on is also not possible (actually I teststed last week's build). Win 10 by installer DVD is (and long time ago an installed system on (another) HDD was) no problem with SB on.
me on other systems. I've just tried it now to be sure!
>Note, I have not a dual boot system or something like that, solely Buster is on my system.
mokutil tool can dump the public keys in each of the key lists on your
system, as listed in the man page:
...
--pk List the keys in PK
--kek List the keys in KEK
--db List the keys in db
--dbx List the keys in dbx
Could you grab those and share them too please? I'm wondering if your
system has maybe had some keys removed or revoked.
"... the premise [is] that privacy is about hiding a wrong. It's not.
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect."
-- Bruce Schneier
Chris Nospam
Jul 1, 2019, 2:10:03 PM7/1/19
to
Dear Steve,
> It's odd that you have files in /boot/efi but on a separate filesystem
> (the rootfs?), not within the ESP.
yep, on the rootfs on /dev/sda2. Must have been done by the deb-installer. Now I removed the files from the root partition as ESP is mounted over them. As expected, no change.
>> The exact error message during booting with SB on is:
>> Image Autorization Fail.
> *Exactly* that, including the missing "h" in Authorization ? Or is
> that a typo on your part?
Defintively, I made the typo, since no cut&paste on the boot screen...
> So, I'm curious what keys your system claims to recognise then. The
> mokutil tool can dump the public keys in each of the key lists on your
> system, as listed in the man page:
# mokutil --pk
[key 1]
SHA1 Fingerprint: 77:a8:28:ba:0c:72:b4:49:79:5c:c0:5a:47:10:cf:a7:29:1c:0f:79
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c3:1d:39:ca:ef:3d:8b:dd
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Intel(R) Desktop Boards
Validity
Not Before: Feb 2 00:09:49 2013 GMT
Not After : Jan 31 00:09:49 2023 GMT
Subject: CN=Intel(R) Desktop Boards
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e0:32:77:4d:a5:f3:31:41:5f:9f:36:39:d1:93:
ce:b2:16:f8:45:7f:4e:65:c1:42:2c:65:d5:96:5e:
99:22:5d:8a:16:2d:89:52:e3:e6:15:23:c7:7d:b8:
1e:55:84:7b:ca:2a:27:5d:ee:a4:33:6a:52:ff:39:
a9:d4:81:21:8f:c2:f5:b8:f8:3c:85:43:60:61:68:
23:72:f1:82:b1:6d:68:ad:69:0b:fb:d1:5a:ed:d2:
cd:c1:c4:81:d3:d2:ba:6f:ce:6f:ad:58:25:6f:39:
32:c5:06:ff:57:80:52:d6:8b:63:90:ec:a7:4b:cf:
2a:b0:2e:f7:13:2e:fc:a7:5b:6c:79:86:0d:d2:b3:
04:13:75:18:6d:8b:7a:35:b8:9c:71:00:1c:19:72:
a4:8c:24:d4:0d:d5:e9:ca:d0:3b:a0:36:c6:55:4b:
58:b3:f3:7d:58:2d:7b:92:f0:38:e3:3f:06:8d:aa:
79:32:2e:6e:50:dc:8c:1d:e1:f7:db:0f:4b:af:61:
bc:bd:d2:ba:d6:5f:ec:8f:79:3e:b8:c8:37:dc:a9:
5a:4d:80:ec:5b:ce:eb:6c:54:68:74:2a:5c:aa:bc:
25:d2:69:e1:c1:51:5b:35:c5:fb:cf:a6:58:a9:6c:
f8:73:33:c6:f5:a8:d2:0a:ef:eb:e2:1f:ec:f3:aa:
84:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D2:EE:76:04:80:00:C1:E6:56:D2:FE:D7:EF:8B:5A:D8:0C:3C:B1:39
X509v3 Authority Key Identifier:
keyid:D2:EE:76:04:80:00:C1:E6:56:D2:FE:D7:EF:8B:5A:D8:0C:3C:B1:39
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
38:e7:c3:21:94:97:9a:0c:96:5b:2d:0e:8a:77:1d:91:da:95:
7f:c6:d2:bc:84:cc:9d:ec:84:7c:8c:09:36:27:2c:08:d2:90:
8a:32:39:3e:4e:46:d9:42:ec:2d:90:94:38:34:24:e6:10:d9:
2e:a5:f2:ce:b2:8e:c0:51:7f:1e:b0:79:17:8b:40:1e:2c:d5:
8d:cb:70:89:ea:f9:2e:63:b1:23:80:c9:41:49:de:d0:5f:5a:
bf:86:30:33:c4:57:c6:4e:2f:1a:b3:e9:63:5d:69:90:0d:b9:
00:f6:b4:3e:89:d7:97:0f:d3:ee:2c:6e:ca:a8:cb:ba:d8:4a:
38:46:de:01:6f:e1:8d:2e:6d:fe:ed:e2:55:f8:1a:6f:c7:7a:
b8:7d:db:db:34:7f:3e:9e:9e:37:f7:3b:81:0e:52:ef:45:ac:
d4:0b:ce:8c:f8:3d:36:ff:2f:9b:f4:e5:bc:9f:5f:d7:6b:8d:
8b:fd:63:d4:b1:69:43:cb:ae:04:07:a1:1a:e8:ed:69:09:3a:
09:3d:d2:b0:e8:b2:b7:6f:25:2c:9c:3e:24:a5:8a:5e:b6:0d:
c5:1a:10:90:3f:8b:83:33:7d:d3:37:42:80:cb:6e:23:f8:09:
dd:57:16:59:df:e3:8b:b4:fa:f7:82:42:90:d8:b1:71:c6:fe:
16:79:1b:87
# mokutil --kek
[key 1]
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0a:d1:88:00:00:00:00:00:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 24 20:41:29 2011 GMT
Not After : Jun 24 20:51:29 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:e8:b5:8a:bf:ad:57:26:b0:26:c3:ea:e7:fb:
57:7a:44:02:5d:07:0d:da:4a:e5:74:2a:e6:b0:0f:
ec:6d:eb:ec:7f:b9:e3:5a:63:32:7c:11:17:4f:0e:
e3:0b:a7:38:15:93:8e:c6:f5:e0:84:b1:9a:9b:2c:
e7:f5:b7:91:d6:09:e1:e2:c0:04:a8:ac:30:1c:df:
48:f3:06:50:9a:64:a7:51:7f:c8:85:4f:8f:20:86:
ce:fe:2f:e1:9f:ff:82:c0:ed:e9:cd:ce:f4:53:6a:
62:3a:0b:43:b9:e2:25:fd:fe:05:f9:d4:c4:14:ab:
11:e2:23:89:8d:70:b7:a4:1d:4d:ec:ae:e5:9c:fa:
16:c2:d7:c1:cb:d4:e8:c4:2f:e5:99:ee:24:8b:03:
ec:8d:f2:8b:ea:c3:4a:fb:43:11:12:0b:7e:b5:47:
92:6c:dc:e6:04:89:eb:f5:33:04:eb:10:01:2a:71:
e5:f9:83:13:3c:ff:25:09:2f:68:76:46:ff:ba:4f:
be:dc:ad:71:2a:58:aa:fb:0e:d2:79:3d:e4:9b:65:
3b:cc:29:2a:9f:fc:72:59:a2:eb:ae:92:ef:f6:35:
13:80:c6:02:ec:e4:5f:cc:9d:76:cd:ef:63:92:c1:
af:79:40:84:79:87:7f:e3:52:a8:e8:9d:7b:07:69:
8f:15
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
62:FC:43:CD:A0:3E:A4:CB:67:12:D2:5B:D9:55:AC:7B:CC:B6:8A:5F
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
d4:84:88:f5:14:94:18:02:ca:2a:3c:fb:2a:92:1c:0c:d7:a0:
d1:f1:e8:52:66:a8:ee:a2:b5:75:7a:90:00:aa:2d:a4:76:5a:
ea:79:b7:b9:37:6a:51:7b:10:64:f6:e1:64:f2:02:67:be:f7:
a8:1b:78:bd:ba:ce:88:58:64:0c:d6:57:c8:19:a3:5f:05:d6:
db:c6:d0:69:ce:48:4b:32:b7:eb:5d:d2:30:f5:c0:f5:b8:ba:
78:07:a3:2b:fe:9b:db:34:56:84:ec:82:ca:ae:41:25:70:9c:
6b:e9:fe:90:0f:d7:96:1f:e5:e7:94:1f:b2:2a:0c:8d:4b:ff:
28:29:10:7b:f7:d7:7c:a5:d1:76:b9:05:c8:79:ed:0f:90:92:
9c:c2:fe:df:6f:7e:6c:0f:7b:d4:c1:45:dd:34:51:96:39:0f:
e5:5e:56:d8:18:05:96:f4:07:a6:42:b3:a0:77:fd:08:19:f2:
71:56:cc:9f:86:23:a4:87:cb:a6:fd:58:7e:d4:69:67:15:91:
7e:81:f2:7f:13:e5:0d:8b:8a:3c:87:84:eb:e3:ce:bd:43:e5:
ad:2d:84:93:8e:6a:2b:5a:7c:44:fa:52:aa:81:c8:2d:1c:bb:
e0:52:df:00:11:f8:9a:3d:c1:60:b0:e1:33:b5:a3:88:d1:65:
19:0a:1a:e7:ac:7c:a4:c1:82:87:4e:38:b1:2f:0d:c5:14:87:
6f:fd:8d:2e:bc:39:b6:e7:e6:c3:e0:e4:cd:27:84:ef:94:42:
ef:29:8b:90:46:41:3b:81:1b:67:d8:f9:43:59:65:cb:0d:bc:
fd:00:92:4f:f4:75:3b:a7:a9:24:fc:50:41:40:79:e0:2d:4f:
0a:6a:27:76:6e:52:ed:96:69:7b:af:0f:f7:87:05:d0:45:c2:
ad:53:14:81:1f:fb:30:04:aa:37:36:61:da:4a:69:1b:34:d8:
68:ed:d6:02:cf:6c:94:0c:d3:cf:6c:22:79:ad:b1:f0:bc:03:
a2:46:60:a9:c4:07:c2:21:82:f1:fd:f2:e8:79:32:60:bf:d8:
ac:a5:22:14:4b:ca:c1:d8:4b:eb:7d:3f:57:35:b2:e6:4f:75:
b4:b0:60:03:22:53:ae:91:79:1d:d6:9b:41:1f:15:86:54:70:
b2:de:0d:35:0f:7c:b0:34:72:ba:97:60:3b:f0:79:eb:a2:b2:
1c:5d:a2:16:b8:87:c5:e9:1b:f6:b5:97:25:6f:38:9f:e3:91:
fa:8a:79:98:c3:69:0e:b7:a3:1c:20:05:97:f8:ca:14:ae:00:
d7:c4:f3:c0:14:10:75:6b:34:a0:1b:b5:99:60:f3:5c:b0:c5:
57:4e:36:d2:32:84:bf:9e
# mokutil --db
[key 1]
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:07:76:56:00:00:00:00:00:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
48:03
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
04:cf:77:a4:62:1c:59:7e
[key 2]
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d3:c4:00:00:00:00:00:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
01:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
....k..wSJ.%7.N.&{. p.
X509v3 Subject Key Identifier:
13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
92:9b:f5:a6:bc:59:83:58
# mokutil --dbx
[key 1]
[SHA-256]
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[key 2]
[SHA-256]
80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76
1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5
c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea
[key 3]
[SHA-256]
d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c
> I'm wondering if your
> system has maybe had some keys removed or revoked.
Unfortunately, it is not one of the newest boards, but a reliable one. However, I never did add/change/remove any keys by hand.
Firmware is the latest Intel has released (some few years ago).
Chris
> It's odd that you have files in /boot/efi but on a separate filesystem
> (the rootfs?), not within the ESP.
>> The exact error message during booting with SB on is:
>> Image Autorization Fail.
> *Exactly* that, including the missing "h" in Authorization ? Or is
> that a typo on your part?
> So, I'm curious what keys your system claims to recognise then. The
> mokutil tool can dump the public keys in each of the key lists on your
> system, as listed in the man page:
[key 1]
SHA1 Fingerprint: 77:a8:28:ba:0c:72:b4:49:79:5c:c0:5a:47:10:cf:a7:29:1c:0f:79
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c3:1d:39:ca:ef:3d:8b:dd
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Intel(R) Desktop Boards
Validity
Not Before: Feb 2 00:09:49 2013 GMT
Not After : Jan 31 00:09:49 2023 GMT
Subject: CN=Intel(R) Desktop Boards
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e0:32:77:4d:a5:f3:31:41:5f:9f:36:39:d1:93:
ce:b2:16:f8:45:7f:4e:65:c1:42:2c:65:d5:96:5e:
99:22:5d:8a:16:2d:89:52:e3:e6:15:23:c7:7d:b8:
1e:55:84:7b:ca:2a:27:5d:ee:a4:33:6a:52:ff:39:
a9:d4:81:21:8f:c2:f5:b8:f8:3c:85:43:60:61:68:
23:72:f1:82:b1:6d:68:ad:69:0b:fb:d1:5a:ed:d2:
cd:c1:c4:81:d3:d2:ba:6f:ce:6f:ad:58:25:6f:39:
32:c5:06:ff:57:80:52:d6:8b:63:90:ec:a7:4b:cf:
2a:b0:2e:f7:13:2e:fc:a7:5b:6c:79:86:0d:d2:b3:
04:13:75:18:6d:8b:7a:35:b8:9c:71:00:1c:19:72:
a4:8c:24:d4:0d:d5:e9:ca:d0:3b:a0:36:c6:55:4b:
58:b3:f3:7d:58:2d:7b:92:f0:38:e3:3f:06:8d:aa:
79:32:2e:6e:50:dc:8c:1d:e1:f7:db:0f:4b:af:61:
bc:bd:d2:ba:d6:5f:ec:8f:79:3e:b8:c8:37:dc:a9:
5a:4d:80:ec:5b:ce:eb:6c:54:68:74:2a:5c:aa:bc:
25:d2:69:e1:c1:51:5b:35:c5:fb:cf:a6:58:a9:6c:
f8:73:33:c6:f5:a8:d2:0a:ef:eb:e2:1f:ec:f3:aa:
84:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D2:EE:76:04:80:00:C1:E6:56:D2:FE:D7:EF:8B:5A:D8:0C:3C:B1:39
X509v3 Authority Key Identifier:
keyid:D2:EE:76:04:80:00:C1:E6:56:D2:FE:D7:EF:8B:5A:D8:0C:3C:B1:39
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
38:e7:c3:21:94:97:9a:0c:96:5b:2d:0e:8a:77:1d:91:da:95:
7f:c6:d2:bc:84:cc:9d:ec:84:7c:8c:09:36:27:2c:08:d2:90:
8a:32:39:3e:4e:46:d9:42:ec:2d:90:94:38:34:24:e6:10:d9:
2e:a5:f2:ce:b2:8e:c0:51:7f:1e:b0:79:17:8b:40:1e:2c:d5:
8d:cb:70:89:ea:f9:2e:63:b1:23:80:c9:41:49:de:d0:5f:5a:
bf:86:30:33:c4:57:c6:4e:2f:1a:b3:e9:63:5d:69:90:0d:b9:
00:f6:b4:3e:89:d7:97:0f:d3:ee:2c:6e:ca:a8:cb:ba:d8:4a:
38:46:de:01:6f:e1:8d:2e:6d:fe:ed:e2:55:f8:1a:6f:c7:7a:
b8:7d:db:db:34:7f:3e:9e:9e:37:f7:3b:81:0e:52:ef:45:ac:
d4:0b:ce:8c:f8:3d:36:ff:2f:9b:f4:e5:bc:9f:5f:d7:6b:8d:
8b:fd:63:d4:b1:69:43:cb:ae:04:07:a1:1a:e8:ed:69:09:3a:
09:3d:d2:b0:e8:b2:b7:6f:25:2c:9c:3e:24:a5:8a:5e:b6:0d:
c5:1a:10:90:3f:8b:83:33:7d:d3:37:42:80:cb:6e:23:f8:09:
dd:57:16:59:df:e3:8b:b4:fa:f7:82:42:90:d8:b1:71:c6:fe:
16:79:1b:87
# mokutil --kek
[key 1]
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0a:d1:88:00:00:00:00:00:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 24 20:41:29 2011 GMT
Not After : Jun 24 20:51:29 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:e8:b5:8a:bf:ad:57:26:b0:26:c3:ea:e7:fb:
57:7a:44:02:5d:07:0d:da:4a:e5:74:2a:e6:b0:0f:
ec:6d:eb:ec:7f:b9:e3:5a:63:32:7c:11:17:4f:0e:
e3:0b:a7:38:15:93:8e:c6:f5:e0:84:b1:9a:9b:2c:
e7:f5:b7:91:d6:09:e1:e2:c0:04:a8:ac:30:1c:df:
48:f3:06:50:9a:64:a7:51:7f:c8:85:4f:8f:20:86:
ce:fe:2f:e1:9f:ff:82:c0:ed:e9:cd:ce:f4:53:6a:
62:3a:0b:43:b9:e2:25:fd:fe:05:f9:d4:c4:14:ab:
11:e2:23:89:8d:70:b7:a4:1d:4d:ec:ae:e5:9c:fa:
16:c2:d7:c1:cb:d4:e8:c4:2f:e5:99:ee:24:8b:03:
ec:8d:f2:8b:ea:c3:4a:fb:43:11:12:0b:7e:b5:47:
92:6c:dc:e6:04:89:eb:f5:33:04:eb:10:01:2a:71:
e5:f9:83:13:3c:ff:25:09:2f:68:76:46:ff:ba:4f:
be:dc:ad:71:2a:58:aa:fb:0e:d2:79:3d:e4:9b:65:
3b:cc:29:2a:9f:fc:72:59:a2:eb:ae:92:ef:f6:35:
13:80:c6:02:ec:e4:5f:cc:9d:76:cd:ef:63:92:c1:
af:79:40:84:79:87:7f:e3:52:a8:e8:9d:7b:07:69:
8f:15
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
62:FC:43:CD:A0:3E:A4:CB:67:12:D2:5B:D9:55:AC:7B:CC:B6:8A:5F
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
d4:84:88:f5:14:94:18:02:ca:2a:3c:fb:2a:92:1c:0c:d7:a0:
d1:f1:e8:52:66:a8:ee:a2:b5:75:7a:90:00:aa:2d:a4:76:5a:
ea:79:b7:b9:37:6a:51:7b:10:64:f6:e1:64:f2:02:67:be:f7:
a8:1b:78:bd:ba:ce:88:58:64:0c:d6:57:c8:19:a3:5f:05:d6:
db:c6:d0:69:ce:48:4b:32:b7:eb:5d:d2:30:f5:c0:f5:b8:ba:
78:07:a3:2b:fe:9b:db:34:56:84:ec:82:ca:ae:41:25:70:9c:
6b:e9:fe:90:0f:d7:96:1f:e5:e7:94:1f:b2:2a:0c:8d:4b:ff:
28:29:10:7b:f7:d7:7c:a5:d1:76:b9:05:c8:79:ed:0f:90:92:
9c:c2:fe:df:6f:7e:6c:0f:7b:d4:c1:45:dd:34:51:96:39:0f:
e5:5e:56:d8:18:05:96:f4:07:a6:42:b3:a0:77:fd:08:19:f2:
71:56:cc:9f:86:23:a4:87:cb:a6:fd:58:7e:d4:69:67:15:91:
7e:81:f2:7f:13:e5:0d:8b:8a:3c:87:84:eb:e3:ce:bd:43:e5:
ad:2d:84:93:8e:6a:2b:5a:7c:44:fa:52:aa:81:c8:2d:1c:bb:
e0:52:df:00:11:f8:9a:3d:c1:60:b0:e1:33:b5:a3:88:d1:65:
19:0a:1a:e7:ac:7c:a4:c1:82:87:4e:38:b1:2f:0d:c5:14:87:
6f:fd:8d:2e:bc:39:b6:e7:e6:c3:e0:e4:cd:27:84:ef:94:42:
ef:29:8b:90:46:41:3b:81:1b:67:d8:f9:43:59:65:cb:0d:bc:
fd:00:92:4f:f4:75:3b:a7:a9:24:fc:50:41:40:79:e0:2d:4f:
0a:6a:27:76:6e:52:ed:96:69:7b:af:0f:f7:87:05:d0:45:c2:
ad:53:14:81:1f:fb:30:04:aa:37:36:61:da:4a:69:1b:34:d8:
68:ed:d6:02:cf:6c:94:0c:d3:cf:6c:22:79:ad:b1:f0:bc:03:
a2:46:60:a9:c4:07:c2:21:82:f1:fd:f2:e8:79:32:60:bf:d8:
ac:a5:22:14:4b:ca:c1:d8:4b:eb:7d:3f:57:35:b2:e6:4f:75:
b4:b0:60:03:22:53:ae:91:79:1d:d6:9b:41:1f:15:86:54:70:
b2:de:0d:35:0f:7c:b0:34:72:ba:97:60:3b:f0:79:eb:a2:b2:
1c:5d:a2:16:b8:87:c5:e9:1b:f6:b5:97:25:6f:38:9f:e3:91:
fa:8a:79:98:c3:69:0e:b7:a3:1c:20:05:97:f8:ca:14:ae:00:
d7:c4:f3:c0:14:10:75:6b:34:a0:1b:b5:99:60:f3:5c:b0:c5:
57:4e:36:d2:32:84:bf:9e
# mokutil --db
[key 1]
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:07:76:56:00:00:00:00:00:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
48:03
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
04:cf:77:a4:62:1c:59:7e
[key 2]
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d3:c4:00:00:00:00:00:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
01:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
....k..wSJ.%7.N.&{. p.
X509v3 Subject Key Identifier:
13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
92:9b:f5:a6:bc:59:83:58
# mokutil --dbx
[key 1]
[SHA-256]
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[key 2]
[SHA-256]
80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76
1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5
c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea
[key 3]
[SHA-256]
d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c
> I'm wondering if your
> system has maybe had some keys removed or revoked.
Firmware is the latest Intel has released (some few years ago).
Chris
Timo van Roermund
Jan 7, 2022, 8:10:03 PM1/7/22
to
Dear Chris, Steve,
Was there any further follow-up on this issue?
It seems that I've got pretty much the same situation here on an Intel
DB75EN motherboard.
Regarding the keys, pretty much the same situation:
- same keys/content in the secure boot signature store (db)
- similar contents in the secure boot blacklist signature store (dbx) --
I have the same first entry, only the 2nd and 3rd are missing
- same keys/content in the Key Exchange Key Signature database (KEK)
- but I have no public Platform Key (PK) installed
The (literal) output on the screen is:
Image Authorization Fail.
System can not boot to this device due to Security Violation.
Press Enter key to continue.
Thanks in advance,
Timo
Was there any further follow-up on this issue?
It seems that I've got pretty much the same situation here on an Intel
DB75EN motherboard.
Regarding the keys, pretty much the same situation:
- same keys/content in the secure boot signature store (db)
- similar contents in the secure boot blacklist signature store (dbx) --
I have the same first entry, only the 2nd and 3rd are missing
- same keys/content in the Key Exchange Key Signature database (KEK)
- but I have no public Platform Key (PK) installed
The (literal) output on the screen is:
Image Authorization Fail.
System can not boot to this device due to Security Violation.
Press Enter key to continue.
Timo
Steve McIntyre
Mar 10, 2023, 9:10:05 PM3/10/23
to
Hey guys,
Apologies for not getting back to you in better time...
I've just uploaded new shim-signed binaries for all of buster,
bullseye and unstable based on the latest upstream version (15.7). I
can't *promise* that this will fix your issue, but it would be very
helpful if you could try them and let me know please.
The buster upload should be already available via security.debian.org;
the bullseye version is in bullseye-proposed updates if you need to
look.
You'll need to grab the appropriate shim-signed and shim-signed-common
packages together, then install by hand.
If that still doesn't help, the next thing to try is turning on shim
debug using:
$ sudo mokutil --set-verbosity true
This will produce a *lot* of output; if you can capture it via video
or on a serial port, that may help diagnose what's happening.
Thanks!
"C++ ate my sanity" -- Jon Rabone
Apologies for not getting back to you in better time...
I've just uploaded new shim-signed binaries for all of buster,
bullseye and unstable based on the latest upstream version (15.7). I
can't *promise* that this will fix your issue, but it would be very
helpful if you could try them and let me know please.
The buster upload should be already available via security.debian.org;
the bullseye version is in bullseye-proposed updates if you need to
look.
You'll need to grab the appropriate shim-signed and shim-signed-common
packages together, then install by hand.
If that still doesn't help, the next thing to try is turning on shim
debug using:
$ sudo mokutil --set-verbosity true
This will produce a *lot* of output; if you can capture it via video
or on a serial port, that may help diagnose what's happening.
Thanks!
"C++ ate my sanity" -- Jon Rabone
Timo van Roermund
Mar 12, 2023, 12:40:04 PM3/12/23
to
Dear Steve,
I just upgraded shim-signed and shim-signed-common to version
1.39+15.7-1; but unfortunately, secure boot still fails with the same
message.
I also turned on shim debug. A recording of the debug output, which is
only visible when disabling secure boot in the (UEFI) BIOS, is available
here:
https://www.van-roermund.nl/temp/boot_shim.mp4
(I hope the quality suffices.)
Cheers,
Timo
I just upgraded shim-signed and shim-signed-common to version
1.39+15.7-1; but unfortunately, secure boot still fails with the same
message.
I also turned on shim debug. A recording of the debug output, which is
only visible when disabling secure boot in the (UEFI) BIOS, is available
here:
https://www.van-roermund.nl/temp/boot_shim.mp4
(I hope the quality suffices.)
Cheers,
Timo
0 new messages