Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1013320: shim: Issues with RSA 4096 in MOKList certificates
68 views
Skip to first unread message
Yves-Alexis Perez
Jun 21, 2022, 12:00:03 PM6/21/22
to
Source: shim
Version: 15.4-7
Severity: normal
Hi,
I was trying to follow
https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key to be able
to sign my locally built kernels (especially for debugging purposes).
As I already have a signing setup using my OpenPGP smartcartd, and I
prefer not having the private key on the same system as the code to be
signed, I tried to use the signature key on my smartcard to generate an
autosigned certificate, then import that certificate to the MOKList
using the steps described in the wiki.
Unfortunately, while importing the key itself (mokutil --import + the
step after reboot) works, after that shim freezes when loading the
grubx64.efi image (according to debug logs with mokutil --set-verbosity
true).
In order to rule out any issue with the smartcard setup, I used the
exact steps described in the wiki, replacing rsa:2048 by rsa:4096 in the
key generation. The same behavior is exhibited, so it really looks like
RSA 4096 is not totally supported in shim.
What's weird is when using the boot menu on my laptop and trying to load
fwupdx64.efi, it somehow tries to load grubx64.efi and fwdupx64.efi and
this time it manages to load properly, so there's definitely something
fishy here.
The test were done on a LENOVO Thinkpad X280 laptop with latest
firmware. If you need more information, please ask!
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Version: 15.4-7
Severity: normal
Hi,
I was trying to follow
https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key to be able
to sign my locally built kernels (especially for debugging purposes).
As I already have a signing setup using my OpenPGP smartcartd, and I
prefer not having the private key on the same system as the code to be
signed, I tried to use the signature key on my smartcard to generate an
autosigned certificate, then import that certificate to the MOKList
using the steps described in the wiki.
Unfortunately, while importing the key itself (mokutil --import + the
step after reboot) works, after that shim freezes when loading the
grubx64.efi image (according to debug logs with mokutil --set-verbosity
true).
In order to rule out any issue with the smartcard setup, I used the
exact steps described in the wiki, replacing rsa:2048 by rsa:4096 in the
key generation. The same behavior is exhibited, so it really looks like
RSA 4096 is not totally supported in shim.
What's weird is when using the boot menu on my laptop and trying to load
fwupdx64.efi, it somehow tries to load grubx64.efi and fwdupx64.efi and
this time it manages to load properly, so there's definitely something
fishy here.
The test were done on a LENOVO Thinkpad X280 laptop with latest
firmware. If you need more information, please ask!
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Yves-Alexis Perez
Oct 13, 2022, 3:00:04 AM10/13/22
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, 2022-06-21 at 17:48 +0200, Yves-Alexis Perez wrote:
> The test were done on a LENOVO Thinkpad X280 laptop with latest
> firmware. If you need more information, please ask!
Hi, is this issue still on someone's radar?
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmNHtY4ACgkQ3rYcyPpX
RFsokwgAxENfPCzng7eyScPBO4Zm2tw1QP/m4a73Phs59Yw2E1X5uKpv3XgvwV/1
P0RMME+j4RTfaiMuKZevHqyoppp7dIJu8oA/52U8z/fOTqCml4gRHdGIIs2ymy+x
aH/FH72Izl5OYRNyLTyLZqRbhkZ0uT0CVuQ76KKMC1IeT6x+oY5BelCA2lVjBom4
RlVvbssVgwtAB7S0rH2bK5+oL6/0WrXwDgPaUw11sXP+ttjfI9yUYCovWAwqcl1+
2Fz+CtSYLHLQPzsjHQx+aEYc3iG/y/UrlHbYF8Kfa0RE1osKbNgbNy5742cb33xu
DPBHNUgNI5JOfxoUWa1ub7QNa+6eTA==
=UnHg
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, 2022-06-21 at 17:48 +0200, Yves-Alexis Perez wrote:
> The test were done on a LENOVO Thinkpad X280 laptop with latest
> firmware. If you need more information, please ask!
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmNHtY4ACgkQ3rYcyPpX
RFsokwgAxENfPCzng7eyScPBO4Zm2tw1QP/m4a73Phs59Yw2E1X5uKpv3XgvwV/1
P0RMME+j4RTfaiMuKZevHqyoppp7dIJu8oA/52U8z/fOTqCml4gRHdGIIs2ymy+x
aH/FH72Izl5OYRNyLTyLZqRbhkZ0uT0CVuQ76KKMC1IeT6x+oY5BelCA2lVjBom4
RlVvbssVgwtAB7S0rH2bK5+oL6/0WrXwDgPaUw11sXP+ttjfI9yUYCovWAwqcl1+
2Fz+CtSYLHLQPzsjHQx+aEYc3iG/y/UrlHbYF8Kfa0RE1osKbNgbNy5742cb33xu
DPBHNUgNI5JOfxoUWa1ub7QNa+6eTA==
=UnHg
-----END PGP SIGNATURE-----
0 new messages