[Bug 1708245] Re: shim can't enable validation and enroll keys in one sitting
Mauricio Faria de Oliveira
mfo at canonical.com
Mon Sep 10 14:53:14 UTC 2018
Yes, and it all goes well in the secure-boot VM.
As this covers the testing in bug description, changing verification
tags to done.
Thanks.
Procedure
=========
Generate x509 certificate:
---
# openssl genrsa -out key.pem 4096
# openssl req -new -sha256 -key key.pem -out csr.csr
# openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out cert.pem
# openssl x509 -in cert.pem -outform der -out cert.der
Key Enrollment:
---
# mokutil --import cert.der
# reboot
< MOK management menu, enroll key, reboot >
# cat /proc/keys # that key is listed
Toggling Validation (Secure Boot State)
---
1) Disable
# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument
# mokutil --disable-validation
# reboot
< MOK management menu, change secure boot state to disabled, reboot >
# cat /proc/keys # does not list secure-boot related keys anymore
# ls /sys/firmware/efi/efivars/MokSBStateRT-*
/sys/firmware/efi/efivars/MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
# hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-* # the last byte is 1
00000000 06 00 00 00 01 |.....|
2) Enable
# mokutil --enable-validation
# reboot
< MOK management menu, change secure boot state to enabled, reboot >
# cat /proc/keys # lists secure-boot related keys and cert.der
# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument
Toggling Validation and Enrolling
---
# mokutil --disable-validation
# reboot
< MOK management menu, change secure boot state to disabled, reboot >
# ... generate another x509 certificate (see above)
# mokutil --import cert.der
# mokutil --enable-validation
# reboot
< MOK management menu, enroll key, change secure boot state to enabled, reboot >
# cat /proc/keys # the new key is listed
# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument
** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1708245
Title:
shim can't enable validation and enroll keys in one sitting
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2-signed package in Ubuntu:
Fix Released
Status in shim package in Ubuntu:
Fix Released
Status in shim-signed package in Ubuntu:
Fix Released
Status in grub2 source package in Trusty:
Fix Committed
Status in grub2-signed source package in Trusty:
Fix Committed
Status in shim-signed source package in Trusty:
Fix Committed
Status in grub2 source package in Xenial:
Fix Released
Status in grub2-signed source package in Xenial:
Fix Released
Status in shim source package in Xenial:
Fix Committed
Status in shim-signed source package in Xenial:
Fix Released
Status in grub2 source package in Zesty:
Won't Fix
Status in grub2-signed source package in Zesty:
Won't Fix
Status in shim source package in Zesty:
Won't Fix
Status in shim-signed source package in Zesty:
Won't Fix
Status in grub2 source package in Artful:
Fix Released
Status in grub2-signed source package in Artful:
Fix Released
Status in shim source package in Artful:
Fix Committed
Status in shim-signed source package in Artful:
Fix Released
Bug description:
[Impact]
[Test cases]
First, update shim to the newest version.
= Boot test =
1) Reboot.
2) Validate that the system boots correctly in UEFI mode.
= Key enrollment =
1) Create a new x.509 certificate to import into MOK.
2) Run 'mokutil --import cert.der'
3) Reboot
4) Execute the steps described on screen to enroll the new key.
= Toggling validation =
1) Run 'mokutil --disable-validation'
2) Reboot.
3) Follow the steps on screen to toggle validation.
4) Boot to the system, validate that validation is disabled:
$ sudo hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-*
The output should read the last byte as a 1.
5) Run 'mokutil --enable-validation'
6) Reboot.
7) Follow the steps on screen to toggle validation.
8) Boot to the system, validate that validation is enabled again:
$ hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-*
The file should not exist.
= Toggling validation and enrolling =
1) Disable validation, as above, and reboot into the system.
2) Create a new x.509 certificate to import into MOK.
3) Run 'mokutil --import cert.der'
4) Run 'mokutil --enable-validation'
5) Reboot.
6) Follow the steps on screen to proceed through toggling validation in shim.
Once that step is done, you should be returned to the MokManager menu to complete further steps.
7) Follow the steps on screen to enroll the new key.
Once completed, you should have the option at the bottom of the menu to Reboot.
8) Reboot into the system.
9) Validate that MOK validation is enabled and the new key is enrolled:
Run:
$ sudo hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-*
The file should not exist.
Then run:
$ sudo cat /proc/keys
And make sure the key you enrolled is present.
[Regression potential]
Failure to boot or validate validly signed EFI binaries (bootloader) might be possible regressions. The shim update modifies the enrollment process for new keys, and as such it might also be possible for the enrollment of a new key to fail in MokManager, rendering the validation process unstable: it may fail to validate validly signed EFI binaries signed by keys already present in the database or that were to be enrolled.
---
We want to enable validation and enroll a new key in shim all at the
same time on upgrade from previous releases.
Curently, shim will wipe out all pending variables when it's done
processing one of them (because it wants to reboot immediately after
that action). That means if we re-enable validation, we lose the
request to enroll the key, and vice-versa.
This needs fixing as it would otherwise badly impact upgrades from
zesty and earlier; where we might have walked users through disabling
validation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1708245/+subscriptions
More information about the foundations-bugs
mailing list