Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1033657: grub-efi-arm64-signed: Secure Boot not working on arm64
270 views
Skip to first unread message
Emanuele Rocca
Mar 29, 2023, 10:20:05 AM3/29/23
to
Package: grub-efi-arm64-signed
Version: 2.06-8
Hi,
Secure Boot does not work on arm64 using the shim signed by Microsoft [0] and
grub2 signed by Debian [1] currently in sid.
(a) SB not working with Debian's shim, grub and kernel:
$ sbverify --list /mnt/efi/boot/bootaa64.efi | grep subject
warning: data remaining[839096 vs 979672]: gaps between PE/COFF sections?
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
$ sbverify --list /mnt/efi/boot/grubaa64.efi | grep subject
- subject: /CN=Debian Secure Boot Signer 2022 - grub2
$ sbverify --list /mnt/vmlinuz-6.1.0-7-arm64 | grep subject
- subject: /CN=Debian Secure Boot Signer 2022 - linux
With the efi variables from qemu-efi-aarch64's AAVMF_VARS.ms.fd plus
SHIM_VERBOSE enabled `mokutil --set-verbosity true`, and the firmware
file AAVM_CODE.fd from edk2 rebuilt in debug mode - see
https://bugs.debian.org/1033613
$ qemu-system-aarch64 -machine virt -cpu cortex-a57 \
-drive file=AAVMF_CODE.debug.fd,format=raw,if=pflash,readonly=true \
-drive file=AAVMF_VARS.ms.verbose.fd \
[...]
grub> linux /vmlinuz-6.1.0-7-arm64
[...]
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
The image doesn't pass verification: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0)
error: cannot load image.
However:
(b) SB works with Ubuntu's shim, grub and kernel [2]
(c) SB works using a self-signed shim, grub, and kernel from unstable
The Ubuntu output (b) is:
grub> linux /vmlinuz-6.2.0-18-generic
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 2 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 3 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 4 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 5 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 6 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 7 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundary
EFI stub: ERROR: FIRMWARE BUG: Image BSS overlaps adjacent EFI memory region
EFI stub: Generating empty DTB
EFI stub: Exiting boot services...
EFI stub: UEFI Secure Boot is enabled.
And the Debian self-signed output (c) is:
grub> linux /vmlinuz-6.1.0-7-arm64.selfsigned
[...]
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 1:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A040000,0x6C730E68).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
DxeImageVerification: MeasureVariable (Pcr - 7, EventType - 800000E0, VariableName - db, VendorGuid - D719B2CB-3D3A-4596-A3BC-DAD00E67656F)
MeasureBootPolicyVariable - Not Found
None of Tcg2Protocol/CcMeasurementProtocol is installed.
[...]
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: UEFI Secure Boot is enabled.
As per the way forward: the diff between Debian's grub and Ubuntu's is
non-trivial, so comparing the two may not be the best course of action. I see
that there is an old patchset at https://bugs.debian.org/836140 which could be
forward-ported though.
In any case there are two difficulties when it comes to testing a new grub
version:
- Secure Boot just works when self-signing (c), and I'm not sure why that is
the case. We need to be able to reproduce the issue (a) with a self-signed
version of grub.
- There is no version of grubaa64.efi with debugging symbols enabled.
grub-efi-amd64-dbg provides unstripped versions of all the individual grub
modules, but there is no equivalent for the monolithic images.
--
[0] /usr/lib/shim/shimaa64.efi.signed from shim-signed 1.39
[1] /usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed from
grub-efi-arm64-signed 2.06-8
[2] shim-signed_1.54+15.7-0ubuntu1_arm64.deb
grub-efi-arm64-signed_1.192+2.06-2ubuntu16_arm64.deb
linux-image-6.2.0-18-generic_6.2.0-18.18_arm64.deb
Version: 2.06-8
Hi,
Secure Boot does not work on arm64 using the shim signed by Microsoft [0] and
grub2 signed by Debian [1] currently in sid.
(a) SB not working with Debian's shim, grub and kernel:
$ sbverify --list /mnt/efi/boot/bootaa64.efi | grep subject
warning: data remaining[839096 vs 979672]: gaps between PE/COFF sections?
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
$ sbverify --list /mnt/efi/boot/grubaa64.efi | grep subject
- subject: /CN=Debian Secure Boot Signer 2022 - grub2
$ sbverify --list /mnt/vmlinuz-6.1.0-7-arm64 | grep subject
- subject: /CN=Debian Secure Boot Signer 2022 - linux
With the efi variables from qemu-efi-aarch64's AAVMF_VARS.ms.fd plus
SHIM_VERBOSE enabled `mokutil --set-verbosity true`, and the firmware
file AAVM_CODE.fd from edk2 rebuilt in debug mode - see
https://bugs.debian.org/1033613
$ qemu-system-aarch64 -machine virt -cpu cortex-a57 \
-drive file=AAVMF_CODE.debug.fd,format=raw,if=pflash,readonly=true \
-drive file=AAVMF_VARS.ms.verbose.fd \
[...]
grub> linux /vmlinuz-6.1.0-7-arm64
[...]
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
The image doesn't pass verification: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0)
error: cannot load image.
However:
(b) SB works with Ubuntu's shim, grub and kernel [2]
(c) SB works using a self-signed shim, grub, and kernel from unstable
The Ubuntu output (b) is:
grub> linux /vmlinuz-6.2.0-18-generic
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 2 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 3 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 4 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 5 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 6 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 7 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundary
EFI stub: ERROR: FIRMWARE BUG: Image BSS overlaps adjacent EFI memory region
EFI stub: Generating empty DTB
EFI stub: Exiting boot services...
EFI stub: UEFI Secure Boot is enabled.
And the Debian self-signed output (c) is:
grub> linux /vmlinuz-6.1.0-7-arm64.selfsigned
[...]
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 1:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A040000,0x6C730E68).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
DxeImageVerification: MeasureVariable (Pcr - 7, EventType - 800000E0, VariableName - db, VendorGuid - D719B2CB-3D3A-4596-A3BC-DAD00E67656F)
MeasureBootPolicyVariable - Not Found
None of Tcg2Protocol/CcMeasurementProtocol is installed.
[...]
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: UEFI Secure Boot is enabled.
As per the way forward: the diff between Debian's grub and Ubuntu's is
non-trivial, so comparing the two may not be the best course of action. I see
that there is an old patchset at https://bugs.debian.org/836140 which could be
forward-ported though.
In any case there are two difficulties when it comes to testing a new grub
version:
- Secure Boot just works when self-signing (c), and I'm not sure why that is
the case. We need to be able to reproduce the issue (a) with a self-signed
version of grub.
- There is no version of grubaa64.efi with debugging symbols enabled.
grub-efi-amd64-dbg provides unstripped versions of all the individual grub
modules, but there is no equivalent for the monolithic images.
--
[0] /usr/lib/shim/shimaa64.efi.signed from shim-signed 1.39
[1] /usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed from
grub-efi-arm64-signed 2.06-8
[2] shim-signed_1.54+15.7-0ubuntu1_arm64.deb
grub-efi-arm64-signed_1.192+2.06-2ubuntu16_arm64.deb
linux-image-6.2.0-18-generic_6.2.0-18.18_arm64.deb
Emanuele Rocca
Apr 3, 2023, 5:50:05 AM4/3/23
to
On 2023-03-29 04:13, Emanuele Rocca wrote:
> We need to be able to reproduce the issue (a) with a self-signed
> version of grub.
I did manage to reproduce with a self-signed grub by using a new key
> We need to be able to reproduce the issue (a) with a self-signed
> version of grub.
instead of the one included in AAVMF_VARS.snakeoil.fd. The latter is
included in PK and DB, while to reproduce we need a key present in MOK
only.
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
openssl x509 -inform der -in MOK.der -out MOK.pem
After enrolling the key from fwsetup, I could get the exact same error
with a self-signed grub as I get with the one signed with Debian CA:
grub> linux /vmlinuz-6.1.0-7-arm64.onlymok
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A045000,0x6C735DC0).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
The image doesn't pass verification: MemoryMapped(0x2,0x6A045000,0x6C735DC0)
error: cannot load image.
Emanuele Rocca
Apr 3, 2023, 10:30:04 AM4/3/23
to
0 new messages