Menu

Suggested patch for Fedora 23 secure boot issue in my previous post

General Discussion
Gene Snider
2016-01-11
2016-01-31

  • Gene Snider

    Gene Snider - 2016-01-11

    Somewhere along the line, the structure of /sys/firmware/efi has changed. The structure currently supported by rEFInd is defined at https://www.kernel.org/doc/Documentation/ABI/stable/sysfs-firmware-efi-vars. Newer kernels use the structure defined in the testing documentation tree. Well sort of, that documentation is sketchy, to say the least. However, for Fedora 23, the secure boot state is available in /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. The test used in refind-install will not work, since the contents appear to have changed.

    With secure boot enabled:

# od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c

  22   0   0   0   1

  With secure boot disabled, the output is:

    22   0   0   0   0

    There is a better way to test secure boot status, at least in Fedora. My system started out as a minimal install using netinstall. The mokutil package was installed in the initial system creation transaction:

    # dnf history list mokutil
Last metadata expiration check performed 3:14:35 ago on Mon Jan 11 09:47:17 2016.
ID     | Command line             | Date a | Action | Altere
-------------------------------------------------------------------------------
     1 |                          | 2015-11-03 15:20 | Install        |  278 EE

    So mokutil should be available in all reasonably recent versions of Fedora. The outpurts from mokutil are:

    mokutil --sb-state
SecureBoot enabled
or
SecureBoot disabled

    I used the following patch to generate a refind-install script that succesfully installs refind in the appropriate secure boot state:

    cat *patch
900,901c900,901
<    if [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then
<       IsSecureBoot=`od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data | tr -d '[[:space:]]'`
---
>    if mokutil --sb-state | grep -i "enabled" ; then
>       IsSecureBoot="1"

    I appoligize if this is considered double posting, but I didn't want the fix to get lost in an old post.

    Gene

     

  • Roderick W. Smith

    Roderick W. Smith - 2016-01-19

    Thanks for the bug report, and the suggested patch. Unfortunately, because I'm not sure when mokutil became available, and because it's not installed by default on many systems, I'm reluctant to rely on it exclusively in my refind-install script. That said, it should be easy enough to add another method or two (perhaps even including mokutil, if it's available) so as to work around this problem. I have no code yet, but I'll work on it soon.

     

  • Gene Snider

    Gene Snider - 2016-01-31

    Thanks for the fix in 10.2-1. I see you checked the other possible /sys location for efivars and tested just the last byte. That should work as well as mokutil, without depending on mokutil. Kudos!

    Gene

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.