Bug 973751

Summary: opensuse leap fails to load ubuntu/mint kernel
Product: [openSUSE] openSUSE Distribution Reporter: Dave Howorth <novell>
Component: BootloaderAssignee: Gary Ching-Pang Lin <glin>
Status: RESOLVED DUPLICATE QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P5 - None CC: mchang, novell
Version: Leap 42.1Flags: mchang: needinfo? (novell)
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 42.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dave Howorth 2016-04-03 13:33:01 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build Identifier: 

I had Mint installed on a machine, which also has W10, and it was all
working fine. I installed Leap and that is working fine. When I reboot I
get taken to openSUSE's boot menu, which is fine, and it reboots either
Leap or W10 fine, but if I select the line for Mint it says

  error: vmlinuz.... has invalid signature.
  error: you need to load the kernel first.

The machine has UEFI and is in secure mode and Mint was booting just
fine using its own (well, Ubuntu's) grub

There's a mailing list thread about the problem that starts at
https://lists.opensuse.org/opensuse/2016-03/msg01526.html

Part way through that thread, Andrei Borzenkov identified it as a bug and asked me to open this bug report (sorry can't find the message in the archive thread). He said:

The error message you get when you try to chainload Ubuntu shim from
openSUSE shim comes from shim itself. As far as I can tell looking at
code, it is a bug in shim which is hit when you are doing something like
this

shim(1) -> bootloader(1) -> shim(2) -> bootloader(2) -> kernel

The problem is that shim(1) hooks into EFI services but it has no
information about bootloader(2), so when bootloder(2) attempts to launch
kernel, shim(1) thinks kernel was not verified and blocks this attempt.

Now code that does it (at least, code that contains error message you
see) appeared in shim 0.9. At least my copy of Ubuntu 14.04 has shim
0.8. Could you verify what shim version you have?

He later confirmed that 

bor@bor-Latitude-E5450:~/src/shim$ dpkg-query -W shim
shim    0.8-0ubuntu2


Reproducible: Always

Steps to Reproduce:
1. Install mint 17.3
2. Install leap 42.1
3. try to boot mint via the entry in leap's grub menu
note that secure boot must be enabled
Actual Results:  
boot fails with message in details

Expected Results:  
boot mint, possibly warning me that it was insecure

the only workaround I had was to boot into opensuse, then use efibootmgr to select mint and reboot into mint.

I now have a workaround which involves using the mint grub screen as primary and chainloading to the opensuse grub screen.

The Acer firmware does not support editing its displayed boot menu
Comment 2 Michael Chang 2016-04-06 02:34:46 UTC 
As far as I know, ubuntu grub2 did not verify their kernel image or even do not sign their kernel, but it's from their initial work of uefi secure boot support and things may have changed.

But anyway, we got hit by issues of such different shim instances from time to time. Reassign to Gary as he's now maintainer of it.

Thanks.
Comment 3 Michael Chang 2016-04-06 03:21:14 UTC 
Gary is on vacation now, and will be back next week.

Generally, it's a good start to check all signatures and pubkeys are in place before looking deeper to the source code.

To show Mint kernel’s digital signature and certificate.
  pesign -S -i <YOUT_MINT_KERNEL>

To list the enrolled keys in mok database.
  mokutil --list-enrolled

Thanks.
Comment 4 Michael Chang 2016-04-07 04:54:01 UTC 
OK. I overlooked that Andrei has filed another bug report for his finding on the offending patch to discuss. Let's move to that one to track the issue. 
Thanks.

*** This bug has been marked as a duplicate of bug 973745 ***