Bug 1158033 - fwupd fails to install uefi updates with secure boot enabled
Summary: fwupd fails to install uefi updates with secure boot enabled
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Current
Hardware: x86-64 All
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Tseng
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-28 17:11 UTC by Stanislav Brabec
Modified: 2023-09-21 14:33 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
jlee: needinfo? (sbrabec)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stanislav Brabec 2019-11-28 17:11:40 UTC 
On the latest openSUSE Tumbleweed, I am experiencing an error while trying to install UEFI updates on a Dell Precision 5820 with Secure Boot enabled:

1. fwupdmgr update run OK and asks for reboot.
2. After reboot, a blue error screen appears, saying

ERROR
Verification failed: (0x1A) Security Violation

Then I can install a MOK.

I think it is an exactly the same issue as Fedora has:
https://bugzilla.redhat.com/show_bug.cgi?id=1767143
https://github.com/fwupd/fwupd/issues/1504

efibootmgr -v
BootCurrent: 0000
Timeout: 2 seconds
BootOrder: 0000,0001,0002,0003
Boot0000* opensuse-secureboot	HD(1,GPT,9af43073-fbee-41e8-ad58-74854cfd333c,0x800,0xfa000)/File(\EFI\opensuse\shim.efi)
Boot0001* Onboard NIC(IPV4)	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(6c2b59fac08f,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0002* Onboard NIC(IPV6)	PciRoot(0x0)/Pci(0x1f,0x6)/MAC(6c2b59fac08f,0)/IPv6([::]:<->[::]:,0,0)..BO
Boot0003* Linux Firmware Updater	HD(1,GPT,9af43073-fbee-41e8-ad58-74854cfd333c,0x800,0xfa000)/File(\EFI\opensuse\shim.efi)\.f.w.u.p.d.x.6.4...e.f.i...

fwupdmgr --version
client version:	1.2.10
compile-time dependency versions
	gusb:	0.3.0
	efivar:	37
daemon version:	1.2.10
Comment 1 Jiri Slaby 2023-07-12 07:18:14 UTC 
Joey, can you take a look? Maybe a dup of bug 1129466?
Comment 2 Tseng 2023-07-12 16:19:46 UTC 
(In reply to Stanislav Brabec from comment #0)
>ERROR: Verification failed: (0x1A) Security Violation

I just doubt, before installing openSUSE TW, your system already has a bigger sbat generation# than openSUSE TW's. Would you please show your sbat variable information ? For example:
> sudo cat /sys/firmware/efi/efivars/SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23 
sbat,1,2022052400
shim,2
grub,2

BTW, openSUSE Tumbleweed is still working for upgrading shim. It is not ready now.
Comment 3 Tseng 2023-07-16 14:53:44 UTC 
Shim source codes show that there are 2 places might prompt this error: 

1) verify_buffer_authenticode(data, datasize, context, sha256hash, sha1hash);
2) verify_buffer_sbat(data, datasize, context);

For case 1), shim will examine whether hash key(either sha256 or sha1) in db, dbx MokListX, or cert is legal or not.

[reference]
httpd://github.com/fwupd/fwupd/issues/1504
conclusion: build server singed with wrong cert

https://github.com/fwupd/firmware-dell/issues/18
conclusion: Dell's firmware has bug(s) in LVFS
Comment 4 Tseng 2023-07-27 01:58:44 UTC 
May I suggest you could change the boot order to 0003,0000,0001,0002 ?
So that we can prove firmware could successfully verify "Linux Firmware Updater" before running shim. Thanks.
Comment 6 Tseng 2023-08-18 16:16:53 UTC 
Would you please also show the signed information of fwupdx64.efi ?

> pesign -S -i /usr/lib/fwupd/efi/fwupdx64.efi
---------------------------------------------
certificate address is 0x7feebd55c180
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is SUSE Linux Enterprise Secure Boot Signkey
The signer's email address is build@suse.de
Signing time: Thu May 06, 2021
There were certs or crls included.
---------------------------------------------