From fc0f1d4d47e5c26437026a98b527aeadfdfd3e68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Renaud=20M=C3=A9trich?= Date: Tue, 4 Jun 2024 14:57:55 +0200 Subject: [PATCH] Provide better error message when MokManager is not found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If MokManager has to be entered but system is booting on disk on EFI/BOOT/BOOTx.EFI entry, MokManager cannot be found because it's not in that directory. This indicates an issue with the BootOrder or the UEFI firmware is just not taking BootOrder into account (seen on Lenovo ThinkPad P1 Gen 6 and VMWare). This patch prints a related message and reboots after 10 seconds. Reproducer: 1. Import a certificate using mokutil 2. Tell UEFI to boot on BOOTX64.EFI entry on next boot Result without the patch with verbosity: ----------------------------------------------------------------------- mok.c:1045:import_mok_state() checking mok request shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi Failed to open \EFI\BOOT\mmx64.efi - Not Found Failed to load image 貘給: Not Found shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found shim.c:1115 read_image() Failed to load image 貘給: Not Found Failed to start MokManager: Not Found mok.c:1047:import_mok_state() mok returned Not Found Something has gone seriously wrong: import_mok_state() failed: Not Found ----------------------------------------------------------------------- Signed-off-by: Renaud Métrich --- mok.c | 20 ++++++++++++++++++++ shim.c | 2 +- shim.h | 1 + 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/mok.c b/mok.c index 0ac341581..63e565fbb 100644 --- a/mok.c +++ b/mok.c @@ -50,6 +50,26 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) efi_status = start_image(image_handle, MOK_MANAGER); if (EFI_ERROR(efi_status)) { + EFI_STATUS efi_status_2; + EFI_LOADED_IMAGE *li; + efi_status_2 = BS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, + (void **)&li); + if (EFI_ERROR(efi_status_2)) + perror (L"Failed to get image: %r\n", efi_status_2); + else if (is_removable_media_path(li) && + efi_status == EFI_NOT_FOUND) { + CHAR16 *title = L"Could not find MokManager"; + CHAR16 *message = L"Boot Order must be misconfigured " \ + "or not honored by the UEFI firmware."; + /* + * This occurs when system is booting on + * hard disk's EFI/BOOT/BOOTxxx.EFI entry + * while it should have booted on + * EFI//shimxxx.efi entry + */ + console_countdown(title, message, 10); + RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); + } perror(L"Failed to start MokManager: %r\n", efi_status); return efi_status; } diff --git a/shim.c b/shim.c index 87202f7ff..95545a582 100644 --- a/shim.c +++ b/shim.c @@ -780,7 +780,7 @@ verify_buffer (char *data, int datasize, return verify_buffer_sbat(data, datasize, context); } -static int +int is_removable_media_path(EFI_LOADED_IMAGE *li) { unsigned int pathlen = 0; diff --git a/shim.h b/shim.h index 5791a031d..aef0b223e 100644 --- a/shim.h +++ b/shim.h @@ -236,6 +236,7 @@ typedef struct _SHIM_LOCK { } SHIM_LOCK; extern EFI_STATUS shim_init(void); +extern int is_removable_media_path(EFI_LOADED_IMAGE *li); extern void shim_fini(void); extern EFI_STATUS EFIAPI LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...);