Solved: Secure Boot fails after BIOS upgrade from 0026 to 0068

agry · ‎08-19-2020

Hi,

I have been using signed Ubuntu 16.04 bootable ramdisk on NUC7i5DNHE with custom secure boot keys (PK, KEK, db). Keys are installed with rEFInd/keytool.

After upgrading BIOS from 0026 to the 0069 grub fails to load linux image:

loader/efi/linux.c:44: Locating shim protocol
loader/efi/linux.c:49: shim not available
error: /casper/vmlinuz has invalid signature
error: you need to load the kernel first

When I am trying to boot linux via grub shell, then I am getting plenty of errors like:

error: Secure Boot forbids loading module from (memdisk)/boot/grub/x86-64-efi/linux.mod

even though, grub image contains detached signatures.

BIOS cannot be rollbacked. Secure Boot must not be disabled.

grub is signed with db key.

vmlinuz is signed with GPG key embedded into the grub image.

I've reviewed BIOS configuration, though could not find any relevant option.

Has anything changed in BIOS that requires changes in signing process?

How should I sign binaries to make it bootable with BIOS 0069?

Please, advise.

Environment:

NUC model: NUC7i5DN

BIOS Version: DNKBLi5v.86A.0069.2020.061.0.1823

OS: Ubuntu 16.04

agry · ‎08-24-2020

Hi @Esteban_D_Intel

I figured that this issue does not relate to BIOS update at all.

The root cause of the boot problem on my setup was caused by the change in grub 2.02~beta2-36ubuntu3.26.

According to the diff, grub 26 has following change

+  [ Dimitri John Ledkov ]
+  * SECURITY UPDATE: Grub does not enforce kernel signature validation
+    when the shim protocol isn't present.
+    - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
+      Fail kernel validation if the shim protocol isn't available
+    - CVE-2020-15705

So, to make it work again with 2.02~beta2-36ubuntu3.27 I had to add shim in my boot-flow:

re-compile shim with embedded db certificate
sign shim with db key
sign grub with db key
sign kernel with db key
sign kernel with gpg key

I guess this ticket can be closed now.

View solution in original post

n_scott_pearson · ‎08-19-2020

How did you get from 26 to 68? One step? If so, that's too big a jump and you likely have a ME firmware issue. I suggest that you reinstall BIOS 68, but this time using the BIOS Recovery method. This is documented here: Intel NUC BIOS Update and Recovery Instructions.

Hope this helps,

...S

agry · ‎08-20-2020

@n_scott_pearson wrote:

How did you get from 26 to 68? One step? If so, that's too big a jump and you likely have a ME firmware issue. I suggest that you reinstall BIOS 68, but this time using the BIOS Recovery method. This is documented here: Intel NUC BIOS Update and Recovery Instructions.

Hope this helps,

...S

Hi Scott!

I haven't seen any notifications and recommendations to gradually update BIOS from older versions to 0069.

According to DNi5_0069_ReleaseNotes.pdf

Known Errata:
• Due to the Intel® ME firmware update in BIOS version 0069, you can’t downgrade to version 0068 or earlier.

I tried "BIOS recovery" process and was able to recover 0068 BIOS on the NUC.

However, I am still observing same issue with grub2 failing to boot linux.

I've tried to downgrade BIOS further. However, intel.com has only 0068 and 0069

Found 0063, 0064, 0066, 0067 on external web-site, BIOS update from 0068 to lower versions fails with error:

Incompatible BIOS Version. Update Aborted!

Any recommendations?

agry · ‎08-20-2020

I've found out that I also have updated grub to 2.02-beta2-36ubuntu3.27

But it works fine with 2.02-beta2-36ubuntu3.12.

I guess my issue more relates to that issue

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

Esteban_D_Intel · ‎08-21-2020

Hello agry,

Thank you for posting on the Intel® communities.

If you are experiencing Linux-specific issues, the Linux operating system vendor is the best source of support.

I attach the Linux* Operating System Vendor Websites, in case you are interested in getting support directly from the Linux vendor.

However, I would like to further investigate this for you.

To better assist you please provide the following information:

· Do you get any additional error message during the process?

· If possible, provide screenshots.

· Do you have any update after following the recommendations in the link that you provided? (GRUB2SecureBootBypass)

Please run the following tool and attach the report generated:

Intel® System Support Utility for the Linux*

Esteban D.

Intel Technical Support Technician

agry · ‎08-24-2020

Hi @Esteban_D_Intel

I figured that this issue does not relate to BIOS update at all.

The root cause of the boot problem on my setup was caused by the change in grub 2.02~beta2-36ubuntu3.26.

According to the diff, grub 26 has following change

+  [ Dimitri John Ledkov ]
+  * SECURITY UPDATE: Grub does not enforce kernel signature validation
+    when the shim protocol isn't present.
+    - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
+      Fail kernel validation if the shim protocol isn't available
+    - CVE-2020-15705

So, to make it work again with 2.02~beta2-36ubuntu3.27 I had to add shim in my boot-flow:

re-compile shim with embedded db certificate
sign shim with db key
sign grub with db key
sign kernel with db key
sign kernel with gpg key

I guess this ticket can be closed now.

Esteban_D_Intel · ‎08-24-2020

Hello agry,

Thanks for the update and the clarification.

It’s nice to know that you were able to find the root cause of the problem.

If you need any additional information, please submit a new question as this thread will no longer being monitored

Esteban D.

Intel Technical Support Technician