[Bug 1600452] Re: "Failed to set variable: (2) Invalid Parameter" when enrolling MOK
Larry McCarthy
1600452 at bugs.launchpad.net
Mon Dec 5 00:18:39 UTC 2016
This problem still exists in my apt-get-upgrad'ed copy of yakkety and
plagues me on my Lenovo E560 with up-to-date (from Lenovo's point of
view) firmware.
Is there a step-by-step for the workaround (patching, building and
replacing MokManager.efi's)? It seems to me that even when the fixed
MokManager gets into the repos, people will still need to go back and
update any UEFIs they've deployed, to be able to turn Secure Boot back
on, right?
Thanks,
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1600452
Title:
"Failed to set variable: (2) Invalid Parameter" when enrolling MOK
Status in mokutil package in Ubuntu:
Confirmed
Status in mokutil source package in Xenial:
Confirmed
Bug description:
## Testing Environment:
Lenovo Thinkpad P50, fresh install of Ubuntu 16.04
$ apt-cache policy mokutil
mokutil:
Installed: 0.3.0-0ubuntu3
Candidate: 0.3.0-0ubuntu3
Version table:
*** 0.3.0-0ubuntu3 500
500 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
$ apt-cache policy shim
shim:
Installed: 0.8-0ubuntu2
Candidate: 0.8-0ubuntu2
Version table:
*** 0.8-0ubuntu2 500
500 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
## Steps to reproduce:
(1) do not disable SecureBoot as suggested during the install.
(2) install virtualbox-5.0 from the virtualbox ppa (deb
http://download.virtualbox.org/virtualbox/debian xenial contrib)
(3) Follow instructions here to manually sign the vboxdrv kernel
module (https://askubuntu.com/questions/760671/could-not-load-vboxdrv-
after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310)
$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform
DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"
$ sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256
./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
$ sudo mokutil --import MOK.der
(enter password)
(4) reboot, click "enroll mok", "continue", "yes", enter password,
(screenshots here: https://sourceware.org/systemtap/wiki/SecureBoot)
## Expected behavior:
new mok will be enrolled and I will be asked to reboot (several users
from the original askubuntu answer indicated that these exact steps
worked for them.
## Actual behaviour:
"Error: Failed to set variable: (2) Invalid Parameter"
## Troubleshooting steps taken:
- tried different passwords, and was able to eliminate that being the cause.
- found relevant lines of code producing the error: lines 919-931 in https://github.com/rhinstaller/shim/blob/master/MokManager.c
/# C code
efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
&shim_lock_guid,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_APPEND_WRITE,
MokNewSize, MokNew);
}
if (efi_status != EFI_SUCCESS) {
console_error(L"Failed to set variable", efi_status);
return efi_status;
}
C Code #/
- unable to find where uefi_call_wrapper() is defined
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mokutil 0.3.0-0ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-28.47-generic 4.4.13
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Jul 9 18:56:59 2016
InstallationDate: Installed on 2016-07-08 (0 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: mokutil
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1600452/+subscriptions
More information about the foundations-bugs
mailing list