[Bug 1274749] [NEW] sbkeysync fails with 'Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting' with 14.04 ovmf
Jamie Strandboge
jamie at ubuntu.com
Thu Jan 30 23:06:17 UTC 2014
Public bug reported:
Due to bug #1274376 I installed Ubuntu 13.10 in a VM with ovmf
0~20121205.edae8d2d-1, shutdown the vm and then upgraded ovmf to
0~20131029.2f34e065-1 since I found that after repeated reboots when
using 0~20121205.edae8d2d-1 ovmf had trouble finding the disk (I don't
know why-- I couldn't find a simple reproducer).
So, when using ovmf 0~20131029.2f34e065-1 if I try to install secure
boot keys as per the instructions in
https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key,
sbkeysync fails. Eg:
$ sbkeysync --verbose --pk --dry-run
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
I used the sb-setup command as per
https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key:
$ cd /tmp
$ ./sb-setup enroll microsoft
Creating keystore...
mkdir '/etc/secureboot/keys'
mkdir '/etc/secureboot/keys/PK'
mkdir '/etc/secureboot/keys/KEK'
mkdir '/etc/secureboot/keys/db'
mkdir '/etc/secureboot/keys/dbx'
done
Creating keys... done
Generating key updates for PK...
using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
creating signed update (test-cert.der.siglist.PK.signed)...
done
Generating key updates for KEK...
using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
creating signed update (test-cert.der.siglist.KEK.signed)...
done
Generating key updates for KEK...
using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4
creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)...
creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)...
done
Generating key updates for db...
using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476
creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)...
creating signed update (microsoft-pca-public.der.siglist.db.signed)...
done
Generating key updates for db...
using GUID=97ff929d-201f-44ef-8514-385958672418
creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)...
creating signed update (microsoft-uefica-public.der.siglist.db.signed)...
done
Initializing keystore...
adding to /etc/secureboot/keys/PK/
adding to /etc/secureboot/keys/KEK/
adding to /etc/secureboot/keys/db/
done
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
Commit to keystore? (y|N) n
$
** Affects: sbsigntool (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- sbkeysync fails with 'Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting'
+ sbkeysync fails with 'Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting' with 14.04 ovmf
** Description changed:
Due to bug #1274376 I installed Ubuntu 13.10 in a VM with ovmf
0~20121205.edae8d2d-1, shutdown the vm and then upgraded ovmf to
0~20131029.2f34e065-1 since I found that after repeated reboots when
using 0~20121205.edae8d2d-1 ovmf had trouble finding the disk (I don't
know why-- I couldn't find a simple reproducer).
So, when using ovmf 0~20131029.2f34e065-1 if I try to install secure
boot keys as per the instructions in
https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key,
sbkeysync fails. Eg:
$ sbkeysync --verbose --pk --dry-run
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
- I used the sb-setup command as per https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key:
- Creating keystore...
- mkdir '/etc/secureboot/keys'
- mkdir '/etc/secureboot/keys/PK'
- mkdir '/etc/secureboot/keys/KEK'
- mkdir '/etc/secureboot/keys/db'
- mkdir '/etc/secureboot/keys/dbx'
+ I used the sb-setup command as per
+ https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key:
+
+ $ cd /tmp
+ $ ./sb-setup enroll microsoft
+ Creating keystore...
+ mkdir '/etc/secureboot/keys'
+ mkdir '/etc/secureboot/keys/PK'
+ mkdir '/etc/secureboot/keys/KEK'
+ mkdir '/etc/secureboot/keys/db'
+ mkdir '/etc/secureboot/keys/dbx'
done
Creating keys... done
- Generating key updates for PK...
- using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
- creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
- creating signed update (test-cert.der.siglist.PK.signed)...
+ Generating key updates for PK...
+ using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
+ creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
+ creating signed update (test-cert.der.siglist.PK.signed)...
done
- Generating key updates for KEK...
- using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
- creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
- creating signed update (test-cert.der.siglist.KEK.signed)...
+ Generating key updates for KEK...
+ using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
+ creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
+ creating signed update (test-cert.der.siglist.KEK.signed)...
done
- Generating key updates for KEK...
- using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4
- creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)...
- creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)...
+ Generating key updates for KEK...
+ using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4
+ creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)...
+ creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)...
done
- Generating key updates for db...
- using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476
- creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)...
- creating signed update (microsoft-pca-public.der.siglist.db.signed)...
+ Generating key updates for db...
+ using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476
+ creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)...
+ creating signed update (microsoft-pca-public.der.siglist.db.signed)...
done
- Generating key updates for db...
- using GUID=97ff929d-201f-44ef-8514-385958672418
- creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)...
- creating signed update (microsoft-uefica-public.der.siglist.db.signed)...
+ Generating key updates for db...
+ using GUID=97ff929d-201f-44ef-8514-385958672418
+ creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)...
+ creating signed update (microsoft-uefica-public.der.siglist.db.signed)...
done
Initializing keystore...
- adding to /etc/secureboot/keys/PK/
- adding to /etc/secureboot/keys/KEK/
- adding to /etc/secureboot/keys/db/
+ adding to /etc/secureboot/keys/PK/
+ adding to /etc/secureboot/keys/KEK/
+ adding to /etc/secureboot/keys/db/
done
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
Commit to keystore? (y|N) n
$
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1274749
Title:
sbkeysync fails with 'Can't access efivars filesystem at
/sys/firmware/efi/efivars, aborting' with 14.04 ovmf
Status in “sbsigntool” package in Ubuntu:
New
Bug description:
Due to bug #1274376 I installed Ubuntu 13.10 in a VM with ovmf
0~20121205.edae8d2d-1, shutdown the vm and then upgraded ovmf to
0~20131029.2f34e065-1 since I found that after repeated reboots when
using 0~20121205.edae8d2d-1 ovmf had trouble finding the disk (I don't
know why-- I couldn't find a simple reproducer).
So, when using ovmf 0~20131029.2f34e065-1 if I try to install secure
boot keys as per the instructions in
https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key,
sbkeysync fails. Eg:
$ sbkeysync --verbose --pk --dry-run
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
I used the sb-setup command as per
https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Shim_bootloader_signed_with_Microsoft_key:
$ cd /tmp
$ ./sb-setup enroll microsoft
Creating keystore...
mkdir '/etc/secureboot/keys'
mkdir '/etc/secureboot/keys/PK'
mkdir '/etc/secureboot/keys/KEK'
mkdir '/etc/secureboot/keys/db'
mkdir '/etc/secureboot/keys/dbx'
done
Creating keys... done
Generating key updates for PK...
using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
creating signed update (test-cert.der.siglist.PK.signed)...
done
Generating key updates for KEK...
using GUID=f2a7fbab-1471-40da-b18f-6a489d898f91
creating EFI_SIGNATURE_LIST (test-cert.der.siglist)...
creating signed update (test-cert.der.siglist.KEK.signed)...
done
Generating key updates for KEK...
using GUID=ed200091-fb45-4da2-8efe-9ce0add35ad4
creating EFI_SIGNATURE_LIST (microsoft-kekca-public.der.siglist)...
creating signed update (microsoft-kekca-public.der.siglist.KEK.signed)...
done
Generating key updates for db...
using GUID=f44c37d2-9123-4b09-abf8-d7fdfdf73476
creating EFI_SIGNATURE_LIST (microsoft-pca-public.der.siglist)...
creating signed update (microsoft-pca-public.der.siglist.db.signed)...
done
Generating key updates for db...
using GUID=97ff929d-201f-44ef-8514-385958672418
creating EFI_SIGNATURE_LIST (microsoft-uefica-public.der.siglist)...
creating signed update (microsoft-uefica-public.der.siglist.db.signed)...
done
Initializing keystore...
adding to /etc/secureboot/keys/PK/
adding to /etc/secureboot/keys/KEK/
adding to /etc/secureboot/keys/db/
done
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting
Commit to keystore? (y|N) n
$
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1274749/+subscriptions
More information about the foundations-bugs
mailing list