Bug 814756

Summary: Today's update to grub2-efi is broken. It needs to be pulled.
Product: [openSUSE] openSUSE 12.3 Reporter: Neil Rickert <nwr10cst-oslnx>
Component: BootloaderAssignee: Michael Chang <mchang>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P1 - Urgent CC: arvidjaar, glin, mchang, meissner, mls
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 12.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Neil Rickert 2013-04-11 00:53:47 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq/2.1 Safari/534.34

An update today to grub2-efi 2.00-19.13.1 results in secure-boot failing.  So secure-boot has to be disabled in order to boot into the system.

See forum discussion at
 https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/485748-12-3-64bit-kde-boot-failure-after-update-today-help.html

In my case, I have two installs of opensuse.  I applied the update to only one of those (the one that was not used for testing bug 809038).  With secure boot enable, a boot entry for this install did not show up.  I could only boot the other install, or boot this install indirectly using the grub menu for the other install).

With secure boot disabled, both installs are accessible from the UEFI menu, and it defaults to booting to the one where I applied the update.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Marcus Meissner 2013-04-11 05:49:03 UTC 
I just did pull it.

top of changes is
-------------------------------------------------------------------
Wed Apr  3 10:56:50 UTC 2013 - mchang@suse.com

- refresh grub2-secureboot-chainloader.patch: Fix wrongly aligned
  buffer address (bnc#811608)

-------------------------------------------------------------------
Mon Mar 25 17:37:59 UTC 2013 - dvaleev@suse.com

- extraconfigure macro is not defined on ppc

-------------------------------------------------------------------
Sat Mar 23 18:31:07 UTC 2013 - arvidjaar@gmail.com

- corretly set chainloaded image device handle in secure boot mode (bnc#809038)
  (modified grub2-secureboot-chainloader.patch)
Comment 2 Marcus Meissner 2013-04-11 05:52:58 UTC 
The test binaries still live in openSUSE:Maintenance:1528

http://download.opensuse.org/repositories/openSUSE:/Maintenance:/1528/openSUSE_12.3_Update_standard/

if someone wants to check.
Comment 3 Michael Chang 2013-04-11 05:58:13 UTC 
Could maintenance team check the sign key is correct? Looks like the efi loader is not signed by SUSE Secureboot CA ...?
Comment 4 Michael Chang 2013-04-11 06:11:45 UTC 
Confirmed that it's not signed by "openSUSE Secure Boot CA" but openSUSE:Maintenance OBS Project. :(

output from pesign -S 

---------------------------------------------
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is openSUSE:Maintenance OBS Project
The signer's email address is opensuse:maintenance@build.opensuse.org
Signing time: Wed Apr 03, 2013
There were certs or crls included.
---------------------------------------------
Comment 5 Andrei Borzenkov 2013-04-11 06:19:45 UTC 
Is it possible to query/see certificate using osc/OBS API? osc --signkey apparently returns something different (RPM signature key?)
Comment 6 Marcus Meissner 2013-04-11 07:07:43 UTC 
We checked this in after we fixed the signing keys in openSUSE:Maintenance:* I hoped.

Apparently something is still amiss.
Comment 7 Michael Schröder 2013-04-11 09:17:17 UTC 
No you didn't. The packages were built Apr 3rd, I fixed the cert Apr 4th.
Comment 8 Marcus Meissner 2013-04-11 10:14:48 UTC 
oh.

can you check if the signing in 

openSUSE:Maintenance:1577

http://download.opensuse.org/repositories/openSUSE:/Maintenance:/1577/openSUSE_12.3_Update_standard/

is ok?
Comment 9 Michael Chang 2013-04-12 06:39:26 UTC 
It's ok per the pesign output. And I did a quick test on it without problem (WORKS_FOR_ME).

---------------------------------------------
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is openSUSE Secure Boot Signkey
The signer's email address is build@opensuse.org
Signing time: Thu Apr 11, 2013
There were certs or crls included.
---------------------------------------------

Thanks.
Comment 10 Michael Chang 2013-04-26 06:18:55 UTC 
Anyone here can help to confirm that the issue can be closed or not?

Thanks.
Comment 11 Marcus Meissner 2013-04-26 06:58:15 UTC 
we got a grub2 update tested (not yet released) with secure boot, so i think its good now.