Bug 212675

Summary: Secure Boot Issue Kernel 5.12-rc7 Security Updates X
Product: EFI Reporter: Mik (e595)
Component: BootAssignee: EFI Virtual User (efi)
Status: RESOLVED CODE_FIX    
Severity: high    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.12-rc7 Subsystem:
Regression: No Bisected commit-id:

Description Mik 2021-04-14 00:18:44 UTC 
I've lost secure boot after xwayland + xserver security updates today (Kubuntu 21.04). May have to do with shim updates too this morning, but odds higher for X. Kernel 5.12-rc7 won't boot, MoK Manager refuses to negotiate.

This issue affects unsigned kernel only. Kernel 5.11.0-14.15 also in Proposed boots normally. Secure boot disabled fixes it.

sudo mokutil --disable-validation is not working anymore. Try it a second time, no effect.

Most of them are in Proposed:

2021-04-13 10:36:37 upgrade libsane1:amd64 1.0.32-0ubuntu1 1.0.32-0ubuntu2
2021-04-13 10:36:37 upgrade libsane-common:all 1.0.32-0ubuntu1 1.0.32-0ubuntu2
2021-04-13 10:36:38 upgrade sane-utils:amd64 1.0.32-0ubuntu1 1.0.32-0ubuntu2
2021-04-13 10:36:38 upgrade ubuntu-drivers-common:amd64 1:0.8.9 1:0.8.9.1
2021-04-13 10:36:38 upgrade ubuntu-release-upgrader-qt:all 1:21.04.7 1:21.04.8
2021-04-13 10:36:38 upgrade ubuntu-release-upgrader-core:all 1:21.04.7 1:21.04.8
2021-04-13 10:36:38 upgrade python3-distupgrade:all 1:21.04.7 1:21.04.8
2021-04-13 10:36:38 upgrade libgstreamer1.0-0:amd64 1.18.3-1 1.18.4-1
2021-04-13 10:36:39 upgrade libgstreamer-plugins-base1.0-0:amd64 1.18.3-1 1.18.4-1
2021-04-13 10:36:39 upgrade libgstreamer-gl1.0-0:amd64 1.18.3-1 1.18.4-1
2021-04-13 10:36:39 upgrade gstreamer1.0-gl:amd64 1.18.3-1 1.18.4-1
2021-04-13 10:36:39 upgrade gstreamer1.0-plugins-base:amd64 1.18.3-1 1.18.4-1
2021-04-13 10:36:39 upgrade gstreamer1.0-plugins-good:amd64 1.18.3-1ubuntu1 1.18.4-1ubuntu1
2021-04-13 10:36:39 upgrade libgstreamer-plugins-good1.0-0:amd64 1.18.3-1ubuntu1 1.18.4-1ubuntu1
2021-04-13 10:36:39 upgrade gstreamer1.0-pulseaudio:amd64 1.18.3-1ubuntu1 1.18.4-1ubuntu1
2021-04-13 10:36:39 upgrade gstreamer1.0-x:amd64 1.18.3-1 1.18.4-1
2021-04-13 10:36:39 upgrade python3-pexpect:all 4.8.0-1 4.8.0-1ubuntu1
2021-04-13 10:36:40 upgrade shim:amd64 15+1552672080.a4a1fbe-0ubuntu2 15.4-0ubuntu1
2021-04-13 10:36:40 upgrade shim-signed:amd64 1.45+15+1552672080.a4a1fbe-0ubuntu2 1.46+15.4-0ubuntu1
2021-04-13 18:26:22 upgrade libqt5svg5:amd64 5.15.2-2 5.15.2-3
2021-04-13 18:26:22 upgrade ubuntu-minimal:amd64 1.466 1.467
2021-04-13 18:26:22 upgrade ubuntu-standard:amd64 1.466 1.467
2021-04-13 18:26:22 upgrade python3-problem-report:all 2.20.11-0ubuntu63 2.20.11-0ubuntu64
2021-04-13 18:26:23 upgrade python3-apport:all 2.20.11-0ubuntu63 2.20.11-0ubuntu64
2021-04-13 18:26:23 upgrade apport:all 2.20.11-0ubuntu63 2.20.11-0ubuntu64
2021-04-13 18:26:23 upgrade apport-kde:all 2.20.11-0ubuntu63 2.20.11-0ubuntu64
2021-04-13 18:26:23 upgrade xserver-common:all 2:1.20.10-3ubuntu7 2:1.20.11-1ubuntu1
2021-04-13 18:26:23 upgrade xserver-xorg-legacy:amd64 2:1.20.10-3ubuntu7 2:1.20.11-1ubuntu1
2021-04-13 18:26:23 upgrade xserver-xorg-core:amd64 2:1.20.10-3ubuntu7 2:1.20.11-1ubuntu1
2021-04-13 18:26:23 upgrade xwayland:amd64 2:21.0.99.902-0ubuntu1 2:21.1.1-0ubuntu1
Comment 1 Mik 2021-04-23 18:15:41 UTC 
Mint 20.1 is not affected. Xserver got updated, not shim and xwayland. The bug is in the final ISO for Ku and Ubuntu 21.04.

mokutil --sb
SecureBoot enabled
SecureBoot validation is disabled in shim

dpkg --list | grep linux-image-unsigned
ii  linux-image-unsigned-5.12.0-051200rc8-generic 5.12.0-051200rc8.202104182230         amd64        Linux kernel image for version 5.12.0 on 64 bit x86 SMP

dpkg -l | grep shim-signed
ii  shim-signed                                   1.40.4+15+1552672080.a4a1fbe-0ubuntu2 amd64        Secure Boot chain-loading bootloader (Microsoft-signed binary)

dpkg -l | grep xserver-common
ii  xserver-common                                2:1.20.9-2ubuntu1.2~20.04.2           all          common files used by various X servers

dpkg -l | grep xwayland
ii  xwayland                                      2:1.20.9-2ubuntu1.2~20.04.2           amd64        Xwayland X server
Comment 2 Mik 2021-05-04 17:02:22 UTC 
Shim 1.47 restores MoK manager at boot > bootiing in insecure mode > ok.