Bug 56751 – SecureBoot: reading EFI variables from filesystem efivarfs return error EINVAL

Bug 56751 - SecureBoot: reading EFI variables from filesystem efivarfs return error EINVAL


Summary:	SecureBoot: reading EFI variables from filesystem efivarfs return error EINVAL

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Kernel
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:	56742
	Show dependency tree / graph

Reported:	2023-10-18 15:39 CEST by Philipp Hahn
Modified:	2023-10-18 16:50 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2023-10-18 15:39:57 CEST

SecureBoot-enabled VM on Qemu/KVM 2.8+dfsg-6+deb9u18 with OVMF 2020.05-3~bpo+1 running UCS 5.0-5 with Linux kernel 4.19.289-2.

Directly after (re-)boot everything works fine:
```console
# mokutil --sb-state
SecureBoot enabled

# efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0003,0002,0001,0004
Boot0000* univention
Boot0001* UiApp
Boot0002* UEFI QEMU QEMU CD-ROM
Boot0003* UEFI QEMU QEMU HARDDISK
Boot0004* EFI Internal Shell
Boot0008* grubx64.efi
```

Running these commands in a loop with `sleep` in between fails after some minutes:
```
# mokutil --sb-state
This system doesn't support Secure Boot
# efibootmgr
Skipping unreadable variable "Boot0000": Invalid argument
Skipping unreadable variable "Boot0001": Invalid argument
Skipping unreadable variable "Boot0002": Invalid argument
Skipping unreadable variable "Boot0003": Invalid argument
Skipping unreadable variable "Boot0004": Invalid argument
Skipping unreadable variable "Boot0008": Invalid argument
show_order(): Invalid argument
# LANG=C cat /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
cat: /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c: Invalid argument
```

The broken state can (somtimes?) be fixed by running the following commands, but it breaks again after some time:
```console
# umount /sys/firmware/efi/efivars
# mount -t efivarfs none /sys/firmware/efi/efivars
mount: /sys/firmware/efi/efivars: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error.
# rmmod efivarfs
# mount -t efivarfs none /sys/firmware/efi/efivars
```

After some round it stopped working and only a reboot of the VM reset it, but
```console
# moktuil --sb-state
Strange data size 0 for "SecureBoot" variable
Strange data size 0 for "SetupMode" variable
Cannot determine secure boot state.
# mokutil --sb-state
SecureBoot enabled

# efibootmgr
Timeout: 0 seconds
BootOrder: 0000,0003,0002,0001,0004
Boot0000
Boot0001
Boot0002
Boot0003
Boot0004
Boot0008
# efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0003,0002,0001,0004
Boot0000* univention
Boot0001* UiApp
Boot0002* UEFI QEMU QEMU CD-ROM
Boot0003* UEFI QEMU QEMU HARDDISK
Boot0004* EFI Internal Shell
Boot0008* grubx64.efi

# grep efi /proc/modules
efi_pstore …
efivars …
efivarfs …
```

Might be a Linux Kernel or Qemu/KVM or OVMF bug.

Comment 1 Philipp Hahn

2023-10-18 16:50:00 CEST

[  +0,235762] efivars: duplicate variable: -aaaf7b74-ffff-ffff-0000-000000000000