-CSM is disabled
-Fastboot is disabled
When i type the command:
Code: Select all
mokutil --sb-state
Code: Select all
This system doesn't support Secure Boot
Code: Select all
mokutil --sb-state
Code: Select all
This system doesn't support Secure Boot
What Debian version are you using ?sakurita wrote: ↑2023-01-22 12:35 I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:
When i type the command:it returnsCode: Select all
mokutil --sb-state
Any idea?Code: Select all
This system doesn't support Secure Boot
Code: Select all
su -l -c "apt install strace"
strace -o strace.log mokutil --sb-state
Code: Select all
$ mokutil --sb-state
SecureBoot enabled
$ mount | grep efivarfs
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
I'm using Debian 11Aki wrote: ↑2023-01-22 14:25 Hello,What Debian version are you using ?sakurita wrote: ↑2023-01-22 12:35 I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:
When i type the command:it returnsCode: Select all
mokutil --sb-state
Any idea?Code: Select all
This system doesn't support Secure Boot
It is possible that, for some reason, the command cannot access to the /sys/firmware/efi/efivars/ filesystem . You can verify with:The strace.log will contain the system calls.Code: Select all
su -l -c "apt install strace" strace -o strace.log mokutil --sb-state
Perhaps the efivars directory is not mounted in /sys/firmware/efi for some reason; for example, in my working installation with Debian Stable (11.6):---Code: Select all
$ mokutil --sb-state SecureBoot enabled $ mount | grep efivarfs efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
[1] https://wiki.debian.org/UEFI#efibootmgr_and_efivar
[2] viewtopic.php?t=152538
Code: Select all
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
Code: Select all
mokutil --sb-state
This system doesn't support Secure Boot
Code: Select all
strace -o strace.log mokutil --sb-state
Code: Select all
openat(AT_FDCWD, "/sys/firmware/efi/efivars/SecureBoot-*******************", O_RDONLY) = -1 ENOENT (File or directory not exist)
write(2, "This system doesn't support Secu"..., 40) = 40
exit_group(-1)
Code: Select all
touch /sys/firmware/efi/efivars/SecureBoot-*******************"
Code: Select all
Failed to read "SetupMode" variable: No such file or directory
Code: Select all
touch /sys/firmware/efi/SetupMode-*******************"
Code: Select all
strace -o strace.log mokutil --sb-state
SecureBoot enabled
Code: Select all
apt reinstall shim-signed grub-efi-amd64-signed
Code: Select all
No DKMS packages installed: not changing Secure Boot validation state.
The files in /sys/firmware/efi/efivars/ is the way the linux kernel view/access to UEFI's non volatile memory (NVM) stored in the firmware memory (usually, flash memory on the motherboard). These variables control the way UEFI firmware behaves, therefore it is better not to play with these variables.sakurita wrote: ↑2023-01-22 18:45 So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):then i got a new errorCode: Select all
touch /sys/firmware/efi/efivars/SecureBoot-*******************"
then i manual create the new required file:Code: Select all
Failed to read "SetupMode" variable: No such file or directory
So i don't know why this filles are not automatically createdCode: Select all
touch /sys/firmware/efi/SetupMode-*******************"
The aforementioned message seems to be generated by a shim script (see [2]) and it seems to be triggered when the directory /var/lib/dkms does not exists. This could happen if you didn't installed dkms [3] at all or you installed a newer kernel, but you did not install the matching dkms package. What kernel are you using ?sakurita wrote: ↑2023-01-22 18:45 In the other hand:returnsCode: Select all
apt reinstall shim-signed grub-efi-amd64-signed
Code: Select all
No DKMS packages installed: not changing Secure Boot validation state.
Aki wrote: ↑2023-01-22 19:23The files in /sys/firmware/efi/efivars/ is the way the linux kernel view/access to UEFI's non volatile memory (NVM) stored in the firmware memory (usually, flash memory on the motherboard). These variables control the way UEFI firmware behaves, therefore it is better not to play with these variables.sakurita wrote: ↑2023-01-22 18:45 So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):then i got a new errorCode: Select all
touch /sys/firmware/efi/efivars/SecureBoot-*******************"
then i manual create the new required file:Code: Select all
Failed to read "SetupMode" variable: No such file or directory
So i don't know why this filles are not automatically createdCode: Select all
touch /sys/firmware/efi/SetupMode-*******************"
I'm not an UEFI expert, but I often read that the possibility to brick your computer could be quite high if you modify some important NVM variable so that the firmware cannot get rid of it anymore.
There's a specific command named efivar [1] to deal with them, but it's better to be very cautious even with it. Try to investigate the content of UEFI NVM using that command, but it is quite strange that booting in UEFI mode this variable is not available.
What is your computer manufacturer and model ? What is the BIOS release version and release date ?
The aforementioned message seems to be generated by a shim script (see [2]) and it seems to be triggered when the directory /var/lib/dkms does not exists. This could happen if you didn't installed dkms [3] at all or you installed a newer kernel, but you did not install the matching dkms package. What kernel are you using ?sakurita wrote: ↑2023-01-22 18:45 In the other hand:returnsCode: Select all
apt reinstall shim-signed grub-efi-amd64-signed
Code: Select all
No DKMS packages installed: not changing Secure Boot validation state.
---
[1] https://packages.debian.org/bullseye/efivar
[2] https://sources.debian.org/src/shim-sig ... l=149#L149
[3] https://packages.debian.org/bullseye/dkms
Code: Select all
uname -r
5.10.0-20-amd64
Code: Select all
ls /var/lib/dkms
dkms_dbversion
Code: Select all
sudo apt info dkms
Package: dkms
Version: 2.8.4-3
Code: Select all
BIOS vendor: American Megatrends Inc.; Ver: X541UA.307; Product Version: 1.0
Code: Select all
DMI: ASUSTeK COMPUTER INC. X541UA/X541UA, BIOS X541UA.307 04/17/2019
[ 0.079942] DMAR: [Firmware Bug]: No firmware reserved region can cover this RMRR [0x0000000088800000-0x000000008cffffff], contact BIOS vendor for fixes
[ 0.079948] DMAR: [Firmware Bug]: Your BIOS is broken; bad RMRR [0x0000000088800000-0x000000008cffffff]
BIOS vendor: American Megatrends Inc.; Ver: X541UA.307; Product Version: 1.0
[ 0.079954] DMAR-IR: x2apic is disabled because BIOS sets x2apic opt out bit.
[ 0.079955] DMAR-IR: Use 'intremap=no_x2apic_optout' to override the BIOS setting.
[ 0.317587] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored
Code: Select all
mokutil --sb-state
SecureBoot enabled
Code: Select all
update-grub
Code: Select all
sudo dpkg-reconfigure grub-efi-amd64