Skip to content

[Bug]: Error logged when getting the PK or KEK UEFI global variables #757

New issue
New issue
Open
Open
[Bug]: Error logged when getting the PK or KEK UEFI global variables#757
Labels
bugSomething isn't working
@serock

Description

@serock
serock
opened on Aug 23, 2025

Contact Details

[email protected]

Describe the Bug

The following message is logged when getting the PK UEFI global variable:

ERROR:root:Unexpected attributes value: 39 for PK-8be4df61-93ca-11d2-aa0d-00e098032b8c

A similar message is logged when getting the KEK:

ERROR:root:Unexpected attributes value: 39 for KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c

The error appears to be logged whenever the attributes value is not 7:

edk2-pytool-library/edk2toollib/os/uefivariablesupport.py

Lines 140 to 145 in 23fb161

# Unpack a uint32 from the start of efi_var, which is the attributes
# we always expect the attributes to be 7, since we are reading from runtime,
# report an error so the user knows it may fail to load if not 7
(attrs,) = struct.unpack("=I", efi_var[:4])
if attrs != 7:
logging.error(f"Unexpected attributes value: {attrs} for {name}-{guid}")

Reproduction steps

  1. Call GetUefiVar in the UefiVariable class with the parameters name="PK" and guid="8be4df61-93ca-11d2-aa0d-00e098032b8c".

For an example, see:
https://github.com/serock/secure-boot-scripts/blob/23d4889fc26d272f3b93f4a79117313581609ea0/backup-pk-cert.py#L12-L13

Expected behavior

I expected no error to be logged when getting the PK or KEK variables.

What Python version are you using?

Python 3.11

Execution Environment

The OS is openSUSE Leap 15.6.
The system is an x86-64 system with UEFI enabled, CSM disabled, Secure Boot enabled, and the Secure Boot mode is User Mode.

Pip packages

Package             Version
------------------- -------
cffi                1.17.1
chardet             5.2.0
colorama            0.4.6
cryptography        45.0.6
edk2-pytool-library 0.23.7
gitdb               4.0.12
GitPython           3.1.45
greenlet            3.2.4
joblib              1.5.1
markdown-it-py      4.0.0
mdurl               0.1.2
pip                 25.2
pyasn1              0.6.1
pyasn1_modules      0.4.2
pycparser           2.22
Pygments            2.19.2
pygount             3.1.0
rich                14.1.0
setuptools          65.5.0
smmap               5.0.2
SQLAlchemy          2.0.43
typing_extensions   4.14.1

Additional context

The PK and KEK variables have the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute set, which is why the attributes value is 39 instead of 7.

I suspect the error might be logged when getting the db or dbx variables.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions