[Solved] Shim Lock Protocol Error with Docking Station

[techno_worm]

Hi,

I'm struggling to understand a secure boot issue related to booting with a docking station plugged in. The laptop is a "HP ProBook 440 G9" and the docking station is the basic USB-C docking station "M96882-001". The installed version of Debian is Bookworm.

The test cases that I've identified are:

1/ With the docking station unplugged, with standard boot
Result: Boots as expected

2/ With the docking station plugged in, with standard boot
Result: Fails to boot with:

Code: Select all

Loading Linux 6.10.6+bpo-amd64 ...
error: shim_lock protocol not found
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...

3/ With the docking station plugged in, and selecting to boot from a file in the BIOS boot menu, using the shimx64.efi file
Result: Boots as expected

Also boots as expected when

Code: Select all

efibootmgr

is used to select what to boot on the next boot.

I do not understand why plugging in the docking station alters boot process?

The work around is to simply plug in the docking station after booting, but this risks me forgetting the issue and wasting a load of time after some time away from the laptop.

Any suggestions on how to ensure the laptop will boot with and without the docking station would be gratefully received.

[lindi]

You could disable secure boot from bios?

[Aki]

Hello,

The laptop is a "HP ProBook 440 G9" and the docking station is the basic USB-C docking station "M96882-001". The installed version of Debian is Bookworm.
[..]
2/ With the docking station plugged in, with standard boot
Result: Fails to boot with:

Code: Select all

Loading Linux 6.10.6+bpo-amd64 ...
error: shim_lock protocol not found
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...

Is this your USB-C hub ?

• https://www.hp.com/us-en/shop/pdp/hp-universal-usb-c-multiport-hub-p-50h98aa-abl-1

Are there any devices connected to the USB-C hub ?

[techno_worm]

Hello,

The laptop is a "HP ProBook 440 G9" and the docking station is the basic USB-C docking station "M96882-001". The installed version of Debian is Bookworm.
[..]
2/ With the docking station plugged in, with standard boot
Result: Fails to boot with:

Code: Select all

Loading Linux 6.10.6+bpo-amd64 ...
error: shim_lock protocol not found
Loading initial ramdisk ...
error: you need to load the kernel first.

Press any key to continue...

Is this your USB-C hub ?

• https://www.hp.com/us-en/shop/pdp/hp-universal-usb-c-multiport-hub-p-50h98aa-abl-1

Are there any devices connected to the USB-C hub ?

Yes, that is the dock.

There are no devices connected to it.

[techno_worm]

You could disable secure boot from bios?

Clearly this could be a solution, however I was hoping to use this laptop build to get up to speed with modern security practices.

I take your point though that this is a less obstructive workaround.

[Aki]

Hello,

A similar, but different, topic has been discussed here [1] few weeks ago.

The "error: shim_lock protocol not found" error message is generated by the grub_efi_locate_protocol grub function [2]:

Code: Select all

[..]
static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
[..]
static grub_err_t
shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
{
  grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);

  if (!sl)
    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));

  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));

  return GRUB_ERR_NONE;
}
[..]

According to the error message, grub2 tried to get the address of the "Shim Lock Protocol", a code provided by the shim program (secure-boot boot loader for Linux) [3] necessary for signature validation of the kernel.

Unfortunately, it seems grub2 fails to get this address with the docking station connected (according to your report).

This is the code of grub_efi_locate_protocol [4] function:

Code: Select all

[..]

void *
grub_efi_locate_protocol (grub_guid_t *protocol, void *registration)
{
  void *interface;
  grub_efi_status_t status;

  status = grub_efi_system_table->boot_services->locate_protocol (protocol,
								  registration,
								  &interface);
  if (status != GRUB_EFI_SUCCESS)
    return 0;

  return interface;
}

It seems that somehow the efi_system_table is different when the docking station is connected.

I would explore the possibility that there is some BIOS configuration that allows the docking station to be trusted when booting with secure boot (i.e. "Security level" in "Advanced, select Port Options")

According to the "technical details" in [5], there is a "security management" for this peripheral:

Secure firmware update meets HP secure firmware requirements

Is a user manual available for the docking station ?

Hope this helps.

--
[1] Bad shim signature - you need to load the kernel first
[2] https://sources.debian.org/src/grub2/2. ... sb.c/#L179
[3] Package: shim-signed - Secure Boot chain-loading bootloader (Microsoft-signed binary)
[4] https://sources.debian.org/src/grub2/2. ... ?hl=43#L43
[5] HP Universal USB-C Multiport Hub - Specs

[techno_worm]

@Aki you have hit the nail on the head - thank you!

For anyone who wants to reference this item in the future, I'll be explicit:

• Enter the BIOS

• Click "Advanced" menu item

• Click "Port Options" menu item

• Click "Restrict USB Devices" menu item

• Select "Allow all but storage devices and hubs"

This setting only affects the initial boot environment from what I can tell, so when the kernel takes over, USB storage devices work fine. I'll save my rant about poor BIOS documentation for another time...

Thank you

[Aki]

Hello,

I'm glad you sorted it out. :)

Please, mark the discussion as "solved" manually adding the text tag "[Solved]" at the beginning of the subject of the first message.

Thanks.

Happy Debian ! :)

@Best_Threads