linux Linux kernel signing

[Haky]

Hi! My laptop's bios became corrupted about a year ago because of a bad ubuntu kernel. I'll spare you the details, but I almost solved it (it can be solved using this guide: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734147). The problem is, that I can't run the linux kernel that is supposed to fix my bios, because it is not signed, and I can't turn secure boot off, because my bios is corrupted, so the only way I'm ever going to fix this is probably to sign it somehow. I've googled around, and found a guide that looked promising, but when it came to the signing, I could not do it, because the signing utility could not access my EFI something something. So basically, I can't do the local sign. Is there some way around this? Thanks!

[tarfeef101]

When you say your BIOS is corrupted, what exactly do you mean?

You can clearly boot into the OS at least a bit. So it's not completely broken. 

Can you see a splash screen when the laptop turns on? If you hit delete/f2/whatever key you need to enter BIOS, what happens? Can you navigate menus, etc? At what point is it broken?

[Guest]

you can use a live USB distribution chroot into it and change the kernel from there

[Haky]

12 hours ago, tarfeef101 said:

When you say your BIOS is corrupted, what exactly do you mean?

You can clearly boot into the OS at least a bit. So it's not completely broken. 

Can you see a splash screen when the laptop turns on? If you hit delete/f2/whatever key you need to enter BIOS, what happens? Can you navigate menus, etc? At what point is it broken?

The bios is corrupted in two ways:
1. I can't save any settings in the bios, so I'm stuck with what I had back when it got corrupted.
2. The EFI partition or something (sorry, I'm not really familiar with it) got corrupted, so basically I can't write into it or do anything with it. That's where my Grub2 was, and it got corrupted too, so I was stuck with the Minimal Bash-like editing thingy, but I figured out how to boot from that (page 3 of Google basically). I can now get into ubuntu from a live USB and I also managed to install it into the laptop, and I get into Grub2 from a normal partition, not EFI. I don't know if i wrote that atlease somewhat sensibly, so i'll try to list the main things I can and cannot do:

I can:
-Boot into normal ubuntu instalation
-Boot into grub2
-Boot into live usb ubuntu
-Boot into Windows10

I can't:
-Change setup/bios settings, so I'm stuck with secure boot
-Boot ubuntu with the kernel I need for the repair because it is not signed
-Do stuff with EFI thingy

I need to either sign the kernel, or somehow boot with it without signing it. I'm not very experienced with linux, if there's some logs or other info that would be helpful, please don't hesitate to ask!

Thanks for the help and hope this clears things out

[Ralphred]

2 hours ago, Haky said:

-Boot ubuntu with the kernel I need for the repair because it is not signed
-Do stuff with EFI thingy

What errors are reported when you try either of these things, especially efi-readvar -v KEK ?

The fact you are booting a USB means at some point you have subverted secureboot.

 

[Haky]

1 hour ago, Ralphred said:

What errors are reported when you try either of these things, especially efi-readvar -v KEK ?

The fact you are booting a USB means at some point you have subverted secureboot.

 

I've attached pictures of how I boot from a USB into ubuntu (it's a full install ubuntu USB, not a live one, but I can boot a live USB too). Sorry for the craptastic quality, but I could not screenshot. I've also attached a screenshot of that efi-readvar command output. It did not seem to throw any errors. However, when I tried to sign the kernel image using this guide: https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot I could not do it, it just spat some EFI errors at me. It was two weeks ago, so I dont have any screenshots of it, but if it'd help, I can try to follow it again so that you can see what it does.

First picture shows how I boot from the usb drive. Second, third and fourth are me trying to boot the linux kernel I need. Fifth one is on the 4.18 kernel, showing the output of the command you wanted to see.

Thank you for any help

[tarfeef101]

4 hours ago, Haky said:

The bios is corrupted in two ways:
1. I can't save any settings in the bios, so I'm stuck with what I had back when it got corrupted.
2. The EFI partition or something (sorry, I'm not really familiar with it) got corrupted, so basically I can't write into it or do anything with it. That's where my Grub2 was, and it got corrupted too, so I was stuck with the Minimal Bash-like editing thingy, but I figured out how to boot from that (page 3 of Google basically). I can now get into ubuntu from a live USB and I also managed to install it into the laptop, and I get into Grub2 from a normal partition, not EFI. I don't know if i wrote that atlease somewhat sensibly, so i'll try to list the main things I can and cannot do:

I can:
-Boot into normal ubuntu instalation
-Boot into grub2
-Boot into live usb ubuntu
-Boot into Windows10

I can't:
-Change setup/bios settings, so I'm stuck with secure boot
-Boot ubuntu with the kernel I need for the repair because it is not signed
-Do stuff with EFI thingy

I need to either sign the kernel, or somehow boot with it without signing it. I'm not very experienced with linux, if there's some logs or other info that would be helpful, please don't hesitate to ask!

Thanks for the help and hope this clears things out

1. You can't save settings, you say. Why? Does this mean you can get into the BIOS and look at the settings, at least? What kind of error do you get when trying to change/save settings, then? Also, have you tried clearing the CMOS of the laptop? 
2. If you wanna see your boot logs, "journalctl -xb" should have some useful information
3. Honestly, if you have a corrupted boot partition and broken kernel, I honestly think it's not worth the trouble to try and repair it. You can boot off of a live USB, so I'd back up my data, save my config files and note what packages I used that I liked, and do a fresh install after formatting the drive. Is there a reason this isn't an option for you? 

[Haky]

23 minutes ago, tarfeef101 said:

1. You can't save settings, you say. Why? Does this mean you can get into the BIOS and look at the settings, at least? What kind of error do you get when trying to change/save settings, then? Also, have you tried clearing the CMOS of the laptop? 
2. If you wanna see your boot logs, "journalctl -xb" should have some useful information
3. Honestly, if you have a corrupted boot partition and broken kernel, I honestly think it's not worth the trouble to try and repair it. You can boot off of a live USB, so I'd back up my data, save my config files and note what packages I used that I liked, and do a fresh install after formatting the drive. Is there a reason this isn't an option for you? 

Hi, the bug that caused this as well as the symptoms are described here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734147
 

Quote

An update to linux kernel on Ubuntu 17.10 that enabled the Intel SPI drivers results in a serial flash that is read only in Intel Broadwell and Haswell machines with serial flashes with SPI_NOR_HAS_LOCK set.

Symptoms:
 * BIOS settings cannot be saved
 * USB Boot impossible
 * EFI entries read-only.

There is no error when trying to save bios settings, but they just don't save. Clearing CMOS would not help, and booting is sort-of fine, I can boot using the minimal grub thingy or using the "BOOT MENU" option when starting the laptop and selecting Windows Boot Manager. I dont have any important data on the laptop, but wiping the drive is not a very smart thing to do in this situation, becase then it might be completely bricked, because I might not be able to boot. I want to repair the bios so that the machine is fully working without any issues.

I am very, very close to solving the problem, I just need to boot using the modified repair kernel, and that should most likely do it, the only problem is that I had secure boot enabled, and I can't change it now, because of the corruption.

[Ralphred]

What's really odd is that you don't have Canonicals keys in your EFI vars, technically you shouldn't be able to boot the 4.18 kernel either.

The lack of "manufacturer" key is what's stopping you saving "BIOS" settings.

 

What environment were you in when you installed the 4.15 kernel, 4.18 proper or USB boot disk etc?

[Haky]

Just now, Ralphred said:

What's really odd is that you don't have Canonicals keys in your EFI vars, technically you shouldn't be able to boot the 4.18 kernel either.

The lack of "manufacturer" key is what's stopping you saving "BIOS" settings.

 

What environment were you in when you installed the 4.15 kernel, 4.18 proper or USB boot disk etc?

I installed it in the 4.18 proper (it is from a USB disk, but it is a full instalation)

[Haky]

Oh, I forgot to mention, I installed the Ubuntu on another computer, and moved it, so maybe that's why I can boot from it? I have no idea.

[Guest]

44 minutes ago, Haky said:

Oh, I forgot to mention, I installed the Ubuntu on another computer, and moved it, so maybe that's why I can boot from it? I have no idea.

No, that should not have anything to do about it...

A question: How did you ended up installing the new kernel? is that an official update? If not, it's not signed obviously

 

23 hours ago, Ralphred said:

What's really odd is that you don't have Canonicals keys in your EFI vars, technically you shouldn't be able to boot the 4.18 kernel either.

The lack of "manufacturer" key is what's stopping you saving "BIOS" settings.

Linux kernel EFI signature images are signed by microsoft itself

 

Edited February 13, 2019 by Guest

[Haky]

5 minutes ago, Lukyp said:

A question: How did you ended up installing the new kernel? is that an official update? If not, it's not signed obviously

I followed these steps:
 

Quote

Repair: If you still can boot into Ubuntu, you can recover your BIOS with the following steps:

1. Boot into Ubuntu
2. Download http://people.canonical.com/~ypwong/lp1734147/linux-image-4.15.0-041500rc6-generic_4.15.0-041500rc6.201712312330+20170103+1_amd64.deb
3. Install the downloaded package:
  $ sudo dpkg -i linux-image-4.15.0-041500rc6-generic_4.15.0-041500rc6.201712312330+20170103+1_amd64.deb
4. Make sure the kernel is installed without any error. Once installed, reboot.
5. At grub, choose the newly installed kernel. You can choose the "recovery" mode.
6. Reboot and go to BIOS settings to confirm your BIOS has been recovered.
7. In case your BIOS is not recovered, reboot to the new kernel, then reboot *once again* to the new kernel, do not enter BIOS settings before the reboot. After the second reboot, check BIOS.
8. If your BIOS issue remains, download another kernel from http://people.canonical.com/~ypwong/lp1734147/linux-image-4.15.0-041500rc6-generic_4.15.0-041500rc6.201712312330+clear+debug_amd64.deb, and use dpkg to install it, then repeat steps 4 to 6.

But got stuck at the 5th step, because of the signature problem.

[Guest]

5 hours ago, Haky said:

I followed these steps:
 

But got stuck at the 5th step, because of the signature problem.

Is not signed... There is nothing you can do about that afaik...

Isn't that issued fixed on newer versions of Ubuntu? you could run a chroot environment from a live USB and update from there

[Haky]

1 minute ago, Lukyp said:

Is not signed... There is nothing you can do about that afaik...

The issue is fixed in the newer version, but my bios is already corrupted, and the newer versions won't fix that. The kernel I am trying to boot is made specifically to repair the issue I'm having. Is there any way for me or some third party to sign the kernel so I could boot from it?
 

Quote

you could run a chroot environment from a live USB and update from there

I'm not familiar with chroot at all, so I don't know if that would help or not.

[Guest]

53 minutes ago, Haky said:

The issue is fixed in the newer version, but my bios is already corrupted, and the newer versions won't fix that. The kernel I am trying to boot is made specifically to repair the issue I'm having. Is there any way for me or some third party to sign the kernel so I could boot from it?
 

I'm not familiar with chroot at all, so I don't know if that would help or not.

does resetting cmos clear secure boot?

in this case you should at least be able to boot

[Haky]

13 hours ago, Lukyp said:

does resetting cmos clear secure boot?

in this case you should at least be able to boot

I've reseted the cmos, and it seems that either did nothing, or secure boot is set "Enabled" on default

[Guest]

19 minutes ago, Haky said:

I've reseted the cmos, and it seems that either did nothing, or secure boot is set "Enabled" on default

I've seen in detail the issue, this does not seem to have an easy solution.

The signing procedure should consist in getting the keys from your machine but unless you are not able to get into the BIOS I don't know how that could be done.

I would rather unsolder che BIOS chip and flash it via a programmer

Also you could try creating a launchpad account and contacting ubuntu developers in that bug report, which seem there are people talking about that secure boot problem too

Anyway if you are patient I would try signing that kernel image but I do not know if that would work on your machine

Edited February 14, 2019 by Guest

[Haky]

19 minutes ago, Lukyp said:

I've seen in detail the issue, this does not seem to have an easy solution.

The signing procedure should consist in getting the keys from your machine but unless you are not able to get into the BIOS I don't know how that could be done.

I would rather unsolder che BIOS chip and flash it via a programmer

Also you could try creating a launchpad account and contacting ubuntu developers in that bug report, which seem there are people talking about that secure boot problem too

Anyway if you are patient I would try signing that kernel image but I do not know if that would work on your machine 

Isn't there some older version of GRUB2 available that could be able to boot unsigned kernels? I've searched around and found this page: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1798384
but I was not able to reproduce the same bug.

[Guest]

3 minutes ago, Haky said:

Isn't there some older version of GRUB2 available that could be able to boot unsigned kernels? I've searched around and found this page: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1798384
but I was not able to reproduce the same bug.

No one really experienced the same bug, so you cannot tell if that works or not, and you may also grab that specific grub version

Anyway i don't think auto signing is possible without you to enroll the custom keys into the BIOS

[Haky]

Ok, I've got an update: it's fixed!!
I've asked on the original leafpad bug page (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734147?comments=all) and the people there have been incredibly quick to help me for anyone experiencing the same issue as me, read the comments from #617 to #622, the procedure on how to boot unsigned kernels is described there.

Thank you to everyone who helped me here too, I've learned a ton about uefi and bootloaders I'm so glad it's fixed!

[Guest]

21 minutes ago, Haky said:

Ok, I've got an update: it's fixed!!
I've asked on the original leafpad bug page (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734147?comments=all) and the people there have been incredibly quick to help me for anyone experiencing the same issue as me, read the comments from #617 to #622, the procedure on how to boot unsigned kernels is described there.

Thank you to everyone who helped me here too, I've learned a ton about uefi and bootloaders I'm so glad it's fixed!

Nice, I didn't know there were some modified grub versions