You are not logged in.

#1 2020-08-15 11:16:39

Registered: 2020-05-20
Posts: 19

[Solved] Secure Boot: Accuracy of "od" command to determine status

I just set up secure boot with my own keys, following the wiki

After setting everything up and enrolling my keys using KeyTool, I wanted to check my secureboot status using the command mentioned here
This is what I got:

~ od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot*
   6   0   0   0   1   7   0   0   0   3


Wiki wrote:

If Secure Boot is enabled, this command returns 1 as the final integer in a list of five, for example:
6  0  0  0  1

So I assumed something went wrong. The wiki text sounds a lot like secure boot is enabled if and only if I get exactly 5 digits with the last one being a 1. Now the keen observer might have noticed that my first 5 digits match those from the wiki exactly. But there is 5 additional ones.
The other command mentioned in the wiki tells me secureboot is enabled:

~ bootctl status
systemd-boot not installed in ESP.
No default/fallback boot loader installed in ESP.
     Firmware: UEFI 2.70 (Dell 1.00)
  Secure Boot: enabled
   Setup Mode: user

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✓ Boot loader sets ESP partition information
         Stub: systemd-stub 245.7-1-arch
          ESP: /dev/disk/by-partuuid/0547b9b9-484c-4b1f-9dae-9ace4dae9770
         File: └─/EFI/Linux/linux.efi

Random Seed:
 Passed to OS: no
 System Token: set
       Exists: no

Available Boot Loaders on ESP:
          ESP: /efi (/dev/disk/by-partuuid/0547b9b9-484c-4b1f-9dae-9ace4dae9770)

Boot Loaders Listed in EFI Variables:
        Title: Arch Linux
           ID: 0x0002
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/0547b9b9-484c-4b1f-9dae-9ace4dae9770
         File: └─/EFI/Linux/linux.efi

        Title: Keytool
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/0547b9b9-484c-4b1f-9dae-9ace4dae9770
         File: └─/EFI/KeyTool.efi

Boot Loader Entries:
        $BOOT: /efi (/dev/disk/by-partuuid/0547b9b9-484c-4b1f-9dae-9ace4dae9770)

Default Boot Loader Entry:
        title: Arch Linux (linux.efi)
           id: linux.efi
       source: /efi/EFI/Linux/linux.efi
        linux: EFI/Linux/linux.efi
      options: BOOT_IMAGE=/boot/vmlinuz-linux root=/dev/mapper/intssd-root rw cryptdevice=UUID=4138cc27

Keytool also tells me that secure boot is in "User Mode". And my Firmware settings tell me secure boot is enabled. (Tested several times now)
I also tried booting an unsigned binary which the firmware refused.
Which makes me think the wiki might be outdated here? I didn't post to the Talk page immediately as I don't want to categorically rule out issues on my end. Lets say I am 80% sure the issues lies with the wiki.

Last edited by LoNaAleim (2020-08-24 19:53:29)


#2 2020-08-15 14:27:17

From: US/Eastern
Registered: 2020-06-21
Posts: 558

Re: [Solved] Secure Boot: Accuracy of "od" command to determine status

It’s a little inaccurate indeed, since you found it you have now the honor of being the one fixing it.

Use a wiki account, post your reasons with a little details in the discussion page, and change the inaccurate part, after all, the wiki is also a community project.

For future things like this, the place for discussion is the discussion page on the wiki for the topic with the issue...

Notable things of course get discussed here in the forums, but things like this belong better at the wiki as a small thread in the discussion subpage.

My reposSome snippets

Heisenberg might have been here.


#3 2020-08-15 20:36:14

Wiki Admin
From: Czech Republic
Registered: 2012-05-29
Posts: 691

Re: [Solved] Secure Boot: Accuracy of "od" command to determine status

Also note that there is an accuracy template which can be used to mark inaccurate content and draw more attention to the discussion (on the wiki talk page).


#4 2020-08-24 19:52:52

Registered: 2020-05-20
Posts: 19

Re: [Solved] Secure Boot: Accuracy of "od" command to determine status

Thanks lahwaacz, I put the accuracy warning on the page and posted to the discussions.


Board footer

Powered by FluxBB