Provide better error message when MokManager is not found

If MokManager has to be entered but system is booting on disk on EFI/BOOT/BOOTx.EFI entry, MokManager cannot be found because it's not in that directory. This indicates an issue with the BootOrder or the UEFI firmware is just not taking BootOrder into account (seen on Lenovo ThinkPad P1 Gen 6 and VMWare), or that the boot media has incorrectly been created without MokManager. This patch prints a related message and reboots after 10 seconds. Reproducer: 1. Import a certificate using mokutil 2. Tell UEFI to boot on BOOTX64.EFI entry on next boot Result without the patch with verbosity: ----------------------------------------------------------------------- mok.c:1045:import_mok_state() checking mok request shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi Failed to open \EFI\BOOT\mmx64.efi - Not Found Failed to load image \EFI\BOOT\mmx64.efi: Not Found shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found shim.c:1115 read_image() Failed to load image \EFI\BOOT\mmx64.efi: Not Found Failed to start MokManager: Not Found mok.c:1047:import_mok_state() mok returned Not Found Something has gone seriously wrong: import_mok_state() failed: Not Found ----------------------------------------------------------------------- Signed-off-by: Renaud Métrich <[email protected]>
rhboot · Jan 17, 2025 · 7864c10 · 7864c10
1 parent 1508ece
commit 7864c10
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/mok.c b/mok.c
@@ -50,6 +50,32 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 		efi_status = start_image(image_handle, MOK_MANAGER);
 
 		if (EFI_ERROR(efi_status)) {
+			/*
+			 * We don't do this in the unit tests because we
+			 * don't have simulation for console_countdown()
+			 * and similar.
+			 */
+#ifndef SHIM_UNIT_TEST
+			EFI_STATUS efi_status_2;
+			EFI_LOADED_IMAGE *li;
+			efi_status_2 = BS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID,
+							 (void **)&li);
+			if (EFI_ERROR(efi_status_2))
+				perror (L"Failed to get image: %r\n", efi_status_2);
+			else if (is_removable_media_path(li) &&
+				 efi_status == EFI_NOT_FOUND) {
+				CHAR16 *title = L"Could not find MokManager";
+				CHAR16 *message = L"MokManager is missing on removable media.";
+				/*
+				 * This occurs when system is booting on
+				 * hard disk's EFI/BOOT/BOOTxxx.EFI entry
+				 * while it should have booted on
+				 * EFI/<os>/shimxxx.efi entry
+				 */
+				console_countdown(title, message, 10);
+				RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
+			}
+#endif
 			perror(L"Failed to start MokManager: %r\n", efi_status);
 			return efi_status;
 		}