0004192: [UEFI]shim-signed boot loader is not installing in /EFI/kali/ - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0004192	Kali Linux	Kali Package Bug	public	2017-08-25 12:31	2018-02-21 09:42

Reporter	defalt	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	open
Product Version	2017.1

Summary	0004192: [UEFI]shim-signed boot loader is not installing in /EFI/kali/
Description	I have installed shim-signed package along with its dependencies from the repository by sudo apt-get install shim-signed. Shim-signed boot loader is signed by Microsoft which allows you to boot kali in your dual-boot machine even if secure boot is enabled. After installing the package, when I enter sudo grub-install --uefi-secure-boot /dev/sda , the output is shown as: Installing for x86_64-efi platform. Installation finished. No error reported. The shimx64.efi and shimx64.efi.signed is "SUPPOSED TO BE" generated in EFI(boot-sector)/kali/ but there is no such file except grubx64.efi which is your default unsigned grub boot loader. I verified this by entering sudo ls /boot/efi/EFI/kali , grubx64.efi is the only file present in that directory.
Steps To Reproduce	It is easy to reproduce: $ sudo apt-get update $ sudo apt-cache search shim-signed shim-signed - Secure Boot chain-loading bootloader (Microsoft-signed binary) $ sudo apt-get install shim-signed $sudo grub-install --uefi-secure-boot /dev/sda Installing for x86_64-efi platform. Installation finished. No error reported. $ sudo ls /boot/efi/EFI/kali grubx64.efi
Additional Information	Please go through the output shown in the screeshot: http://imgur.com/a/dV7G1 A successful installation will be that if UEFI boots kali from shimx64.efi.signed in secure boot.
Attached Files	Screenshot from 2017-08-25 15-23-13.png (1,212,807 bytes)

rhertzog 2017-08-25 13:49 administrator ~0007145	Complete secure boot support is not yet done on the Debian side, so it's unlikely to work in Kali at this point either. I have not followed the recent development but I know that this was not finished for the stretch release. I don't plan to look further into this issue until it has been advertised to work on Debian already. Furthermore we are currently not signing the kernels that we build, this is one of the divergences that we introduce in Kali as this is a real bottleneck... we would have to be process each kernel upload twice, first building the binaries, then re-uploading them with a signature.

defalt 2017-08-25 14:26 reporter ~0007146	@rhertzog You are right. Debian even refused to add support for secure boot in upcoming Debian 9 https://www.theregister.co.uk/2017/05/01/debian_stretch_omits_secure_boot/ I will make a feature request here for secure boot support as soon as Debian introduced this feature in their upcoming distribution. Considering the amount of cyberattacks that happened this year including Vault 7 leak of NSA's attack on Intel system BIOS firmware, i hope Debian soon make progress in this field. This issue is resolved.

g0tmi1k 2018-02-21 09:42 administrator ~0008765	Due to the age of the OS (Kali Moto [v1], Kali Safi [v2], Kali Rolling 2016.x/2017.1), these legacy versions are no longer supported. We will be closing this ticket due to inactivity. Please could you see if you are able to replicate this issue with the latest version of Kali Linux - https://www.kali.org/downloads/)? If you are still facing the same problem, feel free to re-open the ticket. If you choose to do this, could you provide more information to the issue you are facing,and also give information about your setup? For more information, please read: https://kali.training/topic/filing-a-good-bug-report/

Date Modified	Username	Field	Change
2017-08-25 12:31	defalt	New Issue
2017-08-25 12:31	defalt	File Added: Screenshot from 2017-08-25 15-23-13.png
2017-08-25 13:49	rhertzog	Note Added: 0007145
2017-08-25 14:26	defalt	Note Added: 0007146
2018-02-21 09:42	g0tmi1k	Note Added: 0008765
2018-02-21 09:42	g0tmi1k	Status	new => closed