Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
When install secure boot, efitool error occurs.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
tzhou
n00b
n00b


Joined: 11 Oct 2015
Posts: 18

PostPosted: Sat Jun 04, 2016 1:51 pm    Post subject: When install secure boot, efitool error occurs. Reply with quote

Dear all,

I follow Sakaki's EFI Install Guide to configure secure boot.
Emerge app-crypt/efitools from Sakaki's repository.
Use
Code:
taogeo efikeys # efi-readvar -v PK -o old_PK.esl
to read keys, but generates:
Quote:
No efivarfs filesystem is mounted

Then i git clone from
Quote:
https://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git
make and install efitool myself.
Then use
Code:
taogeo efikeys # ~/efitools/efi-readvar
and generate:
Quote:
Variable PK has no entries
Variable KEK, length 2545
KEK: List 0, type X509
Signature 0, size 957, owner 7facc7b6-127f-4e9c-9c5d-080f98994345
Subject:
C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=Lenovo Ltd. KEK CA 2012
Issuer:
C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=Lenovo Ltd. KEK CA 2012
KEK: List 1, type X509
Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Variable db, length 6027
db: List 0, type X509
Signature 0, size 962, owner 7facc7b6-127f-4e9c-9c5d-080f98994345
Subject:
C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=ThinkPad Product CA 2012
Issuer:
C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=Lenovo Ltd. Root CA 2012
db: List 1, type X509
Signature 0, size 919, owner 7facc7b6-127f-4e9c-9c5d-080f98994345
Subject:
C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
Issuer:
C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
db: List 2, type X509
Signature 0, size 919, owner 7facc7b6-127f-4e9c-9c5d-080f98994345
Subject:
C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
Issuer:
C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
db: List 3, type X509
Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
db: List 4, type X509
Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Variable dbx, length 652
dbx: List 0, type SHA256
Signature 0, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
Signature 1, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
Signature 2, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
Signature 3, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76
Signature 4, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
Signature 5, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5
Signature 6, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
Signature 7, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
Signature 8, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea
Signature 9, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
Signature 10, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
Signature 11, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
Signature 12, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Hash:90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c
Variable MokList has no entries

And then need to append KEK:
Code:
taogeo efikeys # ~/efitools/efi-updatevar -a -c KEK.crt KEK
and generate:
Quote:
Cannot write to KEK, wrong filesystem permissions

Find the following thread mentioned something about this.
Quote:
https://www.winhistory-forum.net/archive/index.php?thread-14231-1.html

I do not know how to resolve this and sorry for my such little gentoo knowledge.
My box is thinkpad T460p.
Thanks in advance!
Back to top
View user's profile Send private message
Sakaki
Apprentice
Apprentice


Joined: 21 May 2014
Posts: 287

PostPosted: Sun Jun 05, 2016 9:28 am    Post subject: Reply with quote

Hi tzhou,

although app-crypt/efitools-1.4.3 is still in the sakaki-tools overlay, a more modern version (1.7.0) is now in the standard Gentoo tree and should have been picked up by default, assuming you have allowed ~amd64 for this package in /etc/portage/package.accept_keywords. The ebuild takes its source from the https://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git archive.

In any event, the "wrong filesystem permissions" issue is a known problem with (even the most modern version of) efitools, and I have run into it myself.

There are a few possible ways to workaround this at the moment. The first, is to use your UEFI BIOS GUI (if it affords you the option), to load your signing key, KEK and PK directly into the keystore (I had to resort to this method myself when installing a Purism Librem 13 laptop recently; see these notes).

A second way is to use the EFI utility KeyTool. User demise just wrote a short addendum to my EFI install guide regarding this point, available here.
_________________
Regards,

sakaki
Back to top
View user's profile Send private message
tzhou
n00b
n00b


Joined: 11 Oct 2015
Posts: 18

PostPosted: Sun Jun 05, 2016 1:24 pm    Post subject: Reply with quote

Hi Sakaki,

Thanks so much for your reply. The guides drop me a lot of valuable things.
I feel so ashamed that i just delete all of my old partitions and create new ones all for Gentoo.
So, I can not do the test and installing now.
The reply gives the methods that we can try and it's all your effort.

thanks,
tzhou
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum