Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30

Thread: MODSIGN: Couldn't get UEFI db list

  1. #21
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,324
    Blog Entries
    3

    Default Re: MODSIGN: Couldn't get UEFI db list

    Quote Originally Posted by arvidjaar View Post
    Well, I do not have "linuxefi" in grub.cfg on Ubuntu 18.04, I boot with Secure Boot enabled and attempt to boot unsigned kernel using "linux" command fails. I do not know what evidence you refer to.
    When I last tested, Ubuntu could boot other linux distros with unsigned kernels. But this was probably before 18.04, so it is possible that they have tightened it up since my last test.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  2. #22

    Default Re: MODSIGN: Couldn't get UEFI db list

    Quote Originally Posted by 111MilesToGo View Post
    FWIW, I would like to add to this. You all agree that this error is harmless - okay. But nevertheless, the kernel seems to be doing something in UEFI bootmode with Secure Boot OFF that it shouldn't be doing or at least shouldn't report on.

    Nevertheless, I did try a little thing on my machine. It is a 2013 HP EliteBook 8570w, normally booted in UEFI mode (incl. CSM) with Secure Boot OFF. With such BIOS/UEFI settings, both Tumbleweed and Manjaro had been installed in dual boot on the internal SSD. Remark: The CSM is needed since I can boot alternatively from an eSATA SSD in BIOS boot mode.

    Tumbleweed has been throwing this MODSIGN error since about the same time reported in the first post here. Manjaro has never done this; I checked its journalctl.

    Normally, Tumbleweed throws these lines:
    Code:
    Okt 01 12:39:01 susytmblwdke8570 kernel: Couldn't get size: 0x800000000000000e
    Okt 01 12:39:01 susytmblwdke8570 kernel: MODSIGN: Couldn't get UEFI db list
    Okt 01 12:39:01 susytmblwdke8570 kernel: Couldn't get size: 0x800000000000000e
    Okt 01 12:39:01 susytmblwdke8570 kernel: Couldn't get UEFI MokListRT
    Okt 01 12:39:01 susytmblwdke8570 kernel: Couldn't get size: 0x800000000000000e
    Okt 01 12:39:01 susytmblwdke8570 kernel: Couldn't get UEFI dbx list
    as taken from journalctl, with the bold lines showing up on screen during boot.

    I wanted to test what happens when I interim-wise put a Windows (8.1-64 in my case) system in UEFI boot mode with Secure Boot ON onto the machine. I did this with a spare SSD of mine. Windows installed all fine, and I rebooted a couple of times in Secure Boot.

    Returning to my Linux SSD with Tumbleweed and Manjaro, it would not boot with Secure Boot ON - of course, boot image not authenticated. I switched the BIOS/UEFI back to the UEFI+CSM and Secure Boot OFF settings, both Linux's boot fine again. Now Tumbleweed shows only one error line on screen while booting
    Code:
    Couldn't get size: 0x800000000000000e
    and journalctl has messages now that differ from the above:
    Code:
    Okt 02 12:52:31 susytmblwdke8570 kernel: integrity: Loading X.509 certificate: UEFI:db
    Okt 02 12:52:31 susytmblwdke8570 kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: ...snip...>
    Okt 02 12:52:31 susytmblwdke8570 kernel: integrity: Loading X.509 certificate: UEFI:db
    Okt 02 12:52:31 susytmblwdke8570 kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: ...snip...>
    Okt 02 12:52:31 susytmblwdke8570 kernel: Couldn't get size: 0x800000000000000e
    Okt 02 12:52:31 susytmblwdke8570 kernel: Couldn't get UEFI MokListRT
    So I have two messages wrt this TW error on my HP machine in UEFI (+CSM) boot mode with Secure Boot OFF:

    • Manjaro doesn't produce this MODSIGN error on this machine.
    • For Tumbleweed, I was sort of expecting some change, and that happened. Obviously, a certificate was written during the Windows install to the machine's "writable ROM". I didn't dare to hope all messages would disappear, and in fact it turned out that one error message remains.
    Hi nrickert, following this little Windows experiment, I have another experiment on my mind: Install an interim Tumbleweed in UEFI-Secure on the machine. Maybe that puts a TW key into the NVRAM. Depending on how my last one error message from the non-Secure TW comes about - (a) unsuccessfully looking for a key in NVRAM, or (b) unsuccessfully looking for a key in the bootloader -, this might or might not make the last error line in my non-Secure TW go away.

    Unfortunately, I can try this only two weeks from now. Will report back.

  3. #23

    Default Re: MODSIGN: Couldn't get UEFI db list

    Quote Originally Posted by 111MilesToGo View Post
    Hi nrickert, following this little Windows experiment, I have another experiment on my mind: Install an interim Tumbleweed in UEFI-Secure on the machine. Maybe that puts a TW key into the NVRAM. Depending on how my last one error message from the non-Secure TW comes about - (a) unsuccessfully looking for a key in NVRAM, or (b) unsuccessfully looking for a key in the bootloader -, this might or might not make the last error line in my non-Secure TW go away.

    Unfortunately, I can try this only two weeks from now. Will report back.
    Oops, I was mistaken in this reasoning, esp. (b). My bad, I fell back to think about booting. But here we have already loaded the kernel, and it is the kernel throwing the errors (cf. the journalctl‘s). So my (a) and (b) might read ”the kernel looking for a key or s.th. else in NVRAM“, or ”looking for a key or s.th. else elsewhere“; elsewhere might be a module. Anyway, it‘s all just speculating. My experiment will be done in two weeks.

  4. #24
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,324
    Blog Entries
    3

    Default Re: MODSIGN: Couldn't get UEFI db list

    Quote Originally Posted by 111MilesToGo View Post
    Hi nrickert, following this little Windows experiment, I have another experiment on my mind: Install an interim Tumbleweed in UEFI-Secure on the machine. Maybe that puts a TW key into the NVRAM.
    Installing a kernel (which happens often on Tumbleweed) should already do that. So I doubt that's the problem.

    Two things to check:

    (1) Look at the output from
    Code:
    efibootmgr -v
    (or post that output here). It should show that "shim.efi" is being used to boot openSUSE.

    (2) Check this web page:
    openSUSE:UEFI
    Scroll down until you find the heading "Booting the Machine that supports only one signature with vendor provided Keys". It is near the end of that page. There's a possibility that your computer has that problem.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #25
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    28,112
    Blog Entries
    15

    Default Re: MODSIGN: Couldn't get UEFI db list

    Hi
    I posted in another thread about this from memory, in my case the BIOS offered an option to load the default database and it went away....

    I see;

    Code:
    journalctl -b --no-pager |grep UEFI
    
    Oct 02 10:14:03 grover kernel: integrity: Loading X.509 certificate: UEFI:db
    Oct 02 10:14:03 grover kernel: integrity: Loading X.509 certificate: UEFI:db
    Oct 02 10:14:03 grover kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
    Oct 02 10:14:03 grover kernel: integrity: Loading X.509 certificate: UEFI:MokListRT
    Oct 02 10:14:03 grover kernel: integrity: Loading X.509 certificate: UEFI:MokListRT
    
    efibootmgr -v
    
    BootCurrent: 0000
    Timeout: 1 seconds
    BootOrder: 0000,0001
    Boot0000* opensuse-secureboot    HD(1,GPT,8cdbaf23-57c4-4c0c-95ad-a72beaba9f93,0x800,0x82000)/File(\EFI\opensuse\shim.efi)
    Boot0001* UEFI : SATA : PORT 6G 0 : SanDisk SDSSDXPS240G : PART 0 : OS Bootloader    PciRoot(0x0)/Pci(0x1f,0x2)/Sata(0,65535,0)/HD(1,GPT,8cdbaf23-57c4-4c0c-95ad-a72beaba9f93,0x800,0x82000)AMBO
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  6. #26

    Default Re: MODSIGN: Couldn't get UEFI db list

    Hi, thanks for your suggestions. Very interested to do like you say, but have to wait for two weeks now...

    Anyway, things are strange. The machine has Secure Boot OFF, and TW had been installed as UEFI-nonSecure, but the kernel seems to do SB-related queries and posts complaints since s.th. like K 5.0 (cf. the OP here). My feeling simply is that it should not do anything like that.

    BTW, Manjaro (my 2nd dual-booted OS, but grub is from TW) is Secure Boot-agnostic. The MJ Wiki says to turn SB off when on UEFI, unless one would go through manual key installation described on the Arch Wiki. So, at the end of the day, I will stick to SB OFF. But the entire thing is interesting on its own.

    EDIT: My UEFI TW has a Btrfs root partition and a separate ext4 home partition. I seem to remember reading some remarks wrt grub and Btrfs when I installed it. And there were some peculiarities involved that didn‘t allow Manjaro to boot TW, while TW can boot MJ.

  7. #27
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,324
    Blog Entries
    3

    Default Re: MODSIGN: Couldn't get UEFI db list

    Quote Originally Posted by 111MilesToGo View Post
    And there were some peculiarities involved that didn‘t allow Manjaro to boot TW, while TW can boot MJ.
    Possibly, the grub2 installed by manjaro has trouble reading "btrfs" partitions.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  8. #28

    Default Re: MODSIGN: Couldn't get UEFI db list

    Is there a way we can just suppress this message? I know it is harmless but it causes an unnecessary video mode change.

  9. #29
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,324
    Blog Entries
    3

    Default Re: MODSIGN: Couldn't get UEFI db list

    Quote Originally Posted by JAMcInnes View Post
    Is there a way we can just suppress this message?
    I don't think you get that message if you enable secure-boot in your BIOS.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  10. #30

    Default Re: MODSIGN: Couldn't get UEFI db list

    Hi, I had a similar message. The computer was bought with Windows, but I changed to TW.

    Before installing TW in the bios (such were different recommendations) I changed the option of Secure Boot to Other OS (first was Windows OS).
    During installation, I marked secure boot. And i started poping up the same message. The bootctl status command showed that Secore Boot is off.

    After a few combinations I switched in the bios Secure Boot to Windows OS. After the restart I was asked if to install the MOK key from openSUSE.

    After accepting the message stopped appearing and bootctl status shows that Secure Boot is enabled.

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •